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Decision to impose an administrative fine 


Dear [confidential], 


The Dutch Data Protection Authority (AP) has decided to charge Uber Technologies Inc. and Uber BV (hereinafter jointly: 
Uber) an administrative fine of €290,000,000 . The AP believes that Uber violated Article 44 of the General Data 
Protection Regulation (GDPR) because Uber allowed transfers of personal data to the United States without 

providing adequate safeguards as provided for in Chapter V of the GDPR. 


The AP believes that imposing an administrative fine on Uber is not only appropriate but also necessary. The AP has 
found that the intended importance of Article 44 GDPR, namely the continuity of the high level of protection of the GDPR 
when transferring personal data to third countries, has not been guaranteed by Uber. The AP takes this seriously and has 
therefore initiated enforcement against Uber. 


The administrative fine is explained in this decision. To this end, the reason for the investigation, the facts, the 
established violation and the amount of the fine are discussed in turn. Finally, the dictum follows. 
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1. Reason for research 


1. Uber is an internationally operating company that, among other things, acts as an intermediary between 
taxi drivers and passengers. Passengers use the general Uber App (for mobile phones) or possibly a 
browser to book a ride. Drivers use the Uber Driver App (hereinafter: driver app) to offer rides. 


2. To use the driver app, creating an account for drivers is mandatory. 
After a ride, drivers are assessed by their customers and paid by Uber for the services provided. 


3. On June 12, 2020, the Commission Nationale de I'Informatique et des Libertés (CNIL) filed a complaint 
received from the French non-governmental organization Ligue Des Droits De L'homme Et Du Citoyen (LDH, 
hereinafter: complainant) on behalf of 21 Uber drivers. Gradually, another 151 Uber drivers joined the complaint, 
so that it was filed on behalf of 172 complainants. LDH subsequently filed an additional complaint with 


the CNIL on September 29, 2020, which was forwarded to the CNIL on January 11, 2021 
AP. 


4. In this additional complaint, the complainant states that Uber's legal position is not clear following the 
so-called SCHREMS II ruling of the Court of Justice of the European Union (hereinafter: CJEU). In the 
SCHREMS II ruling, the CJEU states that there is no equivalent level of protection in the United States for the 
transfer of personal data from the European Union (hereinafter also: EU) to the United States. As a result, 
the adequacy decision with the United States (‘Privacy Shield’) was no longer valid as an instrument for the 
transfer of personal data. The CJEU did indicate that “Standard Contractual Clauses” (SCC) made it possible 
to continue transferring data to the United States, provided that sufficient additional measures have been 
taken to ensure an equivalent level of protection. 1 


5. On April 16, 2021, the AP informed Uber in writing that it had initiated an investigation into the complaints filed by 
French Uber drivers. The central question in this investigation was whether Uber meets the requirements of 
Chapter V GDPR for the transfer of personal data of drivers from the EU to the United States. 


6. The AP subsequently found in its investigation a violation of Article 44 of the GDPR, because Uber allowed transfers of personal 
data to take place without providing appropriate safeguards as provided for in Chapter V of the GDPR. The investigation 
report was sent to Uber by letter dated April 13, 2023. Uber provided its views on the investigation report in a letter dated June 
9, 2023. On July 5, 2023, Uber explained its views orally during a views hearing at the AP office. 


1 CJEU July 16, 2020 — Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems, C-311/18. 
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2. Facts and circumstances 


2.1 Introduction 


7. Uber is the name of an electronic platform developed by Uber Technologies Incorporated (hereinafter UTI). UTI's principal 


place of business is San Francisco, United States. The Uber platform is represented in the European Economic Area 
(hereinafter: EEA) by Uber BV (hereinafter UBV). 

In the cities where Uber operates, Uber enables passengers to order transportation services via the Uber 

platform. One can request a ride with Uber in various European cities and countries and Uber has drivers who operate in 
those territories.2 


8. According to Uber's privacy statement, UBV and UTI are joint controllers for the processing of personal data of Uber drivers 


in the EEA territory.3 Their responsibilities for complying with obligations under the GDPR are 


described in an agreement.4 


9. UBV has several data processing agreements with other Uber subsidiaries in EEA countries. For example, in relation to Uber 


France SAS, Uber's subsidiary in France, UBV is identified as the controller and Uber France SAS as the processor.5 
The data processing agreement states that within this relationship, UBV is the entity that makes the personal data of Uber 
drivers available to other Uber subsidiaries in the EEA. However, in an explanation, Uber indicated that although UBV is 
responsible for the personal data of Uber drivers in the EEA, technically these are made accessible by UTI.6 


Uber drivers in the EEA must sign a contract with UBV to become an Uber driver.7 


2.2 Uber drivers in driver-app 


11. Uber omschrijft chauffeurs als “users of the platform who provide transportation services individually or through 


partner transportation companies using the Uber Driver application.” ° To become an Uber driver, one must 


2 File document 20, Uber locations. 


3The Uber privacy statement is available at:_https://www.uber.com/legal/en/document/?name=privacy-notices 


4 Uber Data Sharing Agreement between Uber BV and Uber Technologies Inc. Scope: Uber Personal Data & Employee Data closed on 6 

augustus 2021. 

5 File document 17, Response to information request 2, Appendix Processing Agreement Uber France SAS. 

6 See the minutes of the opinion hearing held on July 5, 2023. 

7 File document 4, Uber additional conditions for drivers. 

8 In response to the information request of July 7, 2021, Uber BV provided their administration regarding Driver Personal Data Processing Activities to the AP on August 9, 


2021. What this means is stated under ‘Ill. Categories of Data Subjects Whose Personal Data Uber Processes’. 
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create an account on the driver app.9 To gain access to the platform, the driver must also 

accept the ‘Conditions for independent Uber Partners'.10These conditions can be adjusted unilaterally 
by Uber. 11 After the driver has met the conditions and logged in to the 
app, he can 'go online’. The driver can then accept, refuse or ignore rides (requested by passengers 
near him). A driver who is online, 

but anyone who decides to ignore a requested ride three times in a row will be automatically logged 
out of the platform. However, the driver will still have access to the other facilities on the platform. 

It should be noted that a driver has the option to cancel a trip that he has already accepted. 
Regarding Uber driver acceptance, rejection, and cancellation of rides, Uber tracks the percentage 
of rides canceled by a driver. 

[Confidential]. 12 After completing the journey, the 
passenger (the customer) is asked to rate the driver on a scale from 1 to 5. An average score that is 
below the threshold value could (previously) lead to exclusion from the platform. 


When requesting a ride, the driver will receive information about the type of ride requested (Uber the 
estimated duration of the journey. In addition, the Uber driver can contact the passenger via text 
message or telephone. The passenger can in turn request a specific type of ride from one location to 
another and receive a quote for the ride. After agreeing to the fare, information about the driver who 
accepted the ride is shown to the passenger. This information includes, but is not limited to, the 
driver's photo, name, rating, type of ride provided by the driver, live location, car type, license 

plate number, and any messages and/or telephone calls from the driver. 


13. Uber also assigns different classifications to Uber drivers, such as Gold, Platinum or Diamond. 


Based on the classification, a driver is given certain privileges on trips that can be profitable.13 To 
achieve a certain classification, a driver must meet the following criteria: 1) a rating of 4.85 out of 5; 
2) an acceptance rate of 85% or higher, and 3) a cancellation rate of 4% or lower. In 

addition, Uber has a points system with which a driver can earn points that count towards the 
classification. 14 


Disagreements between a passenger and a driver, for example about the fare, are handled by Uber. In 
such a case, Uber can unilaterally decide to refund the fare (in whole or in part) to the passenger, after 
which the driver will be paid a lower amount for the ride.15 


9 General Uber Terms of Use, available at: https://www.uber.com/legal/nl/document/?name=general-terms-of- 
use&country=netherlands&lang=nl , Article paragraph 5.3 and further. 

10 File 4 and ‘Terms and conditions for independent Uber partners’, updated on July 12, 2020. 

11 General Uber Terms of Use, available at: https://www.uber.com/legal/nl/document/?name=general-terms-of- 
use&country=netherlands&lang=nl , Article paragraph 16.1. 

12 [confidential] 

13 Ibid. 

14 Ibid, r.0. 1.17. 

15 Ibid, r.o. 1.16. 
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15. Finally, Uber can unilaterally decide to no longer give an Uber driver access to the Uber platform. The 


reasons for denial of access include, for example, non-compliance with the rules, fraud, 
unacceptable behavior or dangerous driving behavior. However, an average rating below 4.5 out 
of 5 could (previously) also lead to exclusion from the platform.16 


2.3 The processing activities 


16. Uber has a centralized IT infrastructure on UTI's platform and servers located in the United States. The 


personal data of Uber drivers, who are located in the EEA, are therefore processed in the United 
States. In its investigation, the AP has identified the following two relevant situations in which 


processing takes place that constitutes transfers within the meaning of the 
GDPR Quality. 


In the first situation, the personal data of Uber drivers, who are located within the EEA, is 

collected via the driver app and stored on a platform that is physically located in the United States. 
17 In addition to account and location data, other data is also stored in the United States (depending 
on the legal rules in a country), such as identity documents, criminal and health data and a 

taxi license.18 


18. The second situation concerns the exercise of GDPR rights by data subjects. UBV is responsible for 


assessing the scope of requests regarding the rights of data subjects and for communicating with 
data subjects.19 UTI is responsible for making the personal data available to UBV in order to 
respond to data subject requests. According to the AP, there is a structural exchange of personal 
data between UBV in the Netherlands and UTI in the United States. Firstly, via the driver app 
and by email (from the device in the EEA), the personal data of the Uber drivers, which 

are processed within the EEA under the responsibility of UBV, ends up on UTI's servers in the 
United States. Secondly, a structural exchange of personal data takes place between UBV 

and UTI. 


19. The above situations are further explained by Uber as follows. 20 


Situation 1 


20. The first situation concerns the driver app within which Uber drivers in the EEA can use their 


share smartphone personal data with UTI. When the driver uses the app for the first time, 


16 Ibid, r.o. 1.13. 

17 See file document 11, Response to information request 1, Appendix section International Data Flows, page 2. See also file document 17, Response to information request 2, Appendix UBV-UTI Data Sharing 
Agreement, page 2 ff. 

18 See file document 23, Requirements for drivers and file document 17, Response to information request 2, Appendix 2012UBV ROPA. 

See also file document 17, Response to information request 2, Appendix 2012UBV ROPA, page 2. The document discusses, among other things, 

“evidence of health fitness to provide services"or z 

19See file document 17, Response to information request 2, Appendix UBV-UTI Data Sharing Agreement, pages 2 and 3, UBV shall be responsible for assessing the 
the validity and the of for the exercise of data subject rights, and for responding requests scope to data subjects.” 


20 See "View of Uber research report on intention and enforcement to of June 9, 2023, p. 19-26. 
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the driver is asked to provide personal data such as his name, email address and telephone number. 

The data is then stored on UTI's servers in the United States. Uber indicates that in this situation the driver provides 
his personal data directly to UTI without (technical) intervention from UBV or other European subsidiaries. 

This is confirmed in, among other things, the agreement between UTI and Uber BV about the responsibilities of both 
parties and other documentation provided by Uber.21 


Situation 2 

21. The second situation concerns the rights of data subjects. More specifically, 1) the 
assessing the scope of data subjects’ request with regard to their rights under the GDPR, and 2) communicating with 
data subjects about the exercise of their rights. 


22. According to Uber, data traffic takes place from the moment the Uber driver submits a request (relating to his rights 
under the GDPR) until the moment Uber responds to the data subject's request. Uber further states that the data 
traffic between the data subject, UBV and UTI depends on the specific request made by a driver. Uber then describes 
the standard procedures used to handle a data subject's request. 


23. According to Uber, the first step in such a procedure is the way in which the data subject makes the request. Uber 
gives drivers the opportunity to exercise their rights by: 
a) complete the form in the driver app or on the Uber website; 
b) send an email to Uber; or 
c) use other forms of communication (via a letter addressed to Uber or in a telephone conversation with 
an Uber employee). 


Ad (a) 

24. Uber's driver app and website use UTI servers located in the United States. When an Uber driver wishes to exercise his 
rights under the GDPR directly via the driver app or Uber website, the data flow associated with the handling of 
such requests takes place (directly) via the smartphone or other device of the participating driver. Uber driver 
located in the EEA, to UTI's servers located in the United States. This is regardless of the entity to which the data 
subject chooses to contact. Uber states that at this stage UTI is the only entity receiving the request as the 
request is being made to Uber's platform operated and managed by UTI. 


Ad (b) 
25. An Uber driver may choose to exercise his rights by sending an email to an address within the uber.com domain (email 
address ending in uber.com). Uses Uber's email traffic 


21 See file document 17, Response to information request 2, August 9, 2021, page 16 ff. and Appendix UBV-UTI Data Sharing Agreement, page 2 ff. 
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UTI's IT systems located in the territory of the United States. Uber declares that in this situation there is only data traffic that 
takes place directly between the data subject (via his personal device) on EEA territory, to UTI's systems located in the 
United States. 


Ad (c) 


26. The Uber driver may choose to exercise his rights under the GDPR in another way, such as by post or telephone. Uber indicates that 


27. 


28. 


29. 


these other methods represent only a small percentage of the requests made by Uber drivers in the European Union 
(less than 10 requests per year). If the Uber driver chooses to send a letter to UTI's address in the United States or if the Uber 
driver telephones an employee in the United States and expresses his wish to exercise his rights, then according to Uber there is 


always direct data traffic from the driver located in the EEA to UTI in the United States. 


According to Uber, if the Uber driver chooses to send their request to UBV located in the EEA or another subsidiary 
located in EEA territory, there is direct data traffic between the driver and that entity. Uber reaches the same 

conclusion if the Uber driver chooses to communicate by telephone with an Uber employee located in the EEA. After 
receiving the request, the employee advises the Uber driver to make his request in the driver app because the request can 
be processed fastest via this route. If the Uber driver chooses not to do this, the employee will place a note directly in UTI's 


IT systems. Although these are located in the United States, the Uber employee (who is in EEA territory) can access 
them remotely. 


In the case of letters, these will be forwarded by UBV to UTI. Forwarding the letter and making a note (of a telephone 
conversation) is handled digitally by the UBV employee. The UBV employee connects via the browser on his 
computer to the Bliss Content system that uses UTI's servers in the United States. The content of the request made by 
the driver is described by the employee in this system. Uber indicates that in this situation there is data traffic from the 
computer located in the EEA to the systems in the United States. 


To further explain the data being processed, Uber explains that an Uber driver who exercises a right via the driver app or the 
website is not required to enter his personal data on the platform. Most Uber drivers are logged into the platform via their 
personal account. The data traffic that takes place when the request is submitted consists of the specific request that the 
driver makes (the data requested) and the ‘Universally Unique Identifier’ (UUID) linked to the Uber driver's account. Each 
account on the Uber platform is linked to a UUID that allows the Uber driver to be identified on the Uber platform and 
systems. 
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If the Uber driver is not logged in to the platform (driver app or website), a request can be made on 

the driver app or website by providing information regarding the rights to be exercised, name, e-mail address. 
email address and phone number associated with the Uber driver's account. This information is necessary 

to associate the request with the driver's UUID and initiate the process of handling the driver's request. 

If the Uber driver makes the request by email, mail or telephone, the driver will be asked for the same 

type of information. 


31. The second step in the procedure is the preparation process to answer the data subject's request. Most 


requests from data subjects are handled automatically via the self-service portal that the Uber 

driver has access to. The self-service environment is located on UTI's servers in the United States and has 
two functions: 1) 'Explore Your Data’ 

with which the Uber driver can view his personal data and 2) 'Download Your Data’ with which a 

Uber driver can download a copy of his personal data. If the request can be handled entirely through these 
functions in the self-service environment, all necessary personal data will be automatically collected 

in UTI's systems in the United States. This data is then shared directly with the data subject without any 
intervention from an Uber employee. With this fully automated preparation, Uber states that there is no data 
traffic from the EEA to the United States. 


32. If the self-service environment cannot handle the request for reasons of question or complexity, an Uber 


33. 


employee must (partly) respond to the driver's request. 
prepare manually. Uber notes that in the first four months of 2023, approximately 25 requests per month 
were handled this way. 


In the process of partially manual response to the request, an employee of UBV 
can view the data subject's request. The employee does this by accessing UTI systems located in the 
United States via the browser of his computer located in the EEA. Uber indicates that this situation 


involves data traffic from the United States to the EEA, which includes the UUID number and the content of 
the driver's request. 


34. Uber indicates that the type of personal data depends on the type of request from the data subject 


must be collected from the Uber driver to respond to the request. Because Uber has a centralized IT infrastructure on 


UTI's platform and servers, which are located in the United States, the personal data of Uber drivers located in the EEA are 
processed in the United States. To comply with the request, the employee must collect data stored on UTI's servers. To 
collect the relevant personal data on the servers, the UBV employee must assess the scope of the data subject's 

request. 


After the scope has been determined, the UBV employee accesses the relevant UTI systems via the browser 
on his computer located in the EEA. The scope of the data subject's request - parameters indicating the 
nature of the personal data - are entered into the search engine together with the UUID of the Uber driver 

by the respective employee. In UTI's systems 
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a search is then made for the personal data that meet the criteria entered by the UBV employee 

in the search engine. This process takes place entirely on servers located in the United States 

and it takes several hours for the search results to be transferred directly to a spreadsheet on the 
server in the United States. After the information is transferred to the spreadsheet, the 

employee receives a message that the requested information is ready. The UBV employee can then 
view the spreadsheet via the browser of his computer in the EEA. 


35. The UBV employee checks the collected information and deletes information that falls outside 
the scope of the driver's request. If the collected data does not provide the information that 
can be used to adequately answer the request, the employee will perform a new search according 
to the procedure described previously. This procedure is repeated until the employee has the 
necessary personal information to adequately answer the request. Uber notes that the 
employee in question does not add any personal data to the spreadsheet himself. 


36. Uber indicates that data collection almost exclusively involves data traffic within the United States. It 
is also noted that the UBV employee only has access to the personal data stored on UTI's servers 
in the United States. Uber emphatically notes that the UBV employee has remote access 
to the personal data and that these are not stored on the UBV employee's server or computer 
located on EEA territory. Only entering the parameters for selection is considered by Uber as data 
traffic from the EEA to the United States. 


37. The final step in the (partly manual) handling procedure of data subjects’ rights is answering the 
request made by the driver. Once the aforementioned spreadsheet is filled with the personal 
data within the scope of the request, the spreadsheet is ready to be shared with the Uber driver. 
This step is performed by the UBV employee who, from the browser on his computer, has access 
to the spreadsheet and UTI's systems located in the United States. The employee in question 
instructs the system to export the spreadsheet to the so-called ‘file mailbox’. The data traffic linked 
to this process 
concerns only the flow of data within the territory of the United States. Uber explains this further by 
saying that the ‘file mailbox’ is on UTI's servers and that the spreadsheet that is on UTI's servers 
is exported from one system to another (but remains on UTI's server). Once the data has been 
transferred to the ‘file mailbox’ , it will be opened by the UBV employee and the employee will then 
make it available to the Uber driver. More specifically, the ‘file mailbox' sends a link to the Uber 
driver in the EEA and the Uber driver can use the link to 
download personal data contained in the spreadsheet. According to Uber, this concerns data traffic 
from the United States to the driver in Europe. 


38. Uber notes that there is a temporary exception to this process when it comes to rights of 


those involved with regard to proof of payment. If a proof of payment is part of a driver's request 
for access, the UBV employee must receive the proof of payment from the UTI servers. 
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to his computer located in the EEA. This document is then manually uploaded by the UBV employee 
to the ‘file mailbox' on the servers in the United States. 

After this document has been uploaded, the UBV employee deletes the document from his computer. The data traffic this 
entails involves the transmission of personal data from the United States to the EEA and back to the United States. Uber 
notes that this method of handling payment receipts is temporary and that they expect this process to be aligned with the 


procedure described above for handling requests from data subjects within a few weeks. 


2.4 Number of Uber drivers and GDPR requests from data subjects 


39. The AP asked Uber about the number of registered Uber drivers in the EU and how often 


data subjects have invoked their GDPR rights. 


40. From August 6, 2021 to mid-February 2023, there were on average [confidential] drivers active in 


France and [confidential] drivers throughout the EU. On February 17, 2023, there were a total of 
[confidential] active drivers in the EU.22 


41. Between August 2021 and February 2023, Uber carried out [confidential] access requests from EU drivers with the automatic 


‘download your data tool’. This allows drivers to download their personal data based on the generic categories that Uber 
offers in the 'download your data tool’. Uber has also carried out [confidential] removal requests for (former) 

drivers from the EU. In addition, Uber indicates: “In addition to the use of the ‘Download Your Data’ tool, Uber processed 
[confidential] requests from French (former) drivers for a more extensive access request between August 6, 2021 and 
February 1, 2023.’23 


2.5 The application of a on-transit tool by Uber 


42. Uber has stated the following regarding the transfer of personal data to third countries: 


43. 


“For transfers of data subjects’ data to third countries, Uber’s standard practice is (and has been) to have standard 
contractual clauses (SCCs) in place when a third country has not beenafforded an adequacy decision in order to ensure a 
high level of protection, and to conduct a “third party risk management” assessment to identify potential risks and ensure 


data protection for its user’s data.”24 


However, in 2021, Uber decided that the processing of personal data of EU drivers in the United 
States does not require standard contractual clauses. Uber states that there is no transfer and 
that due to the joint responsibility of UBV and UTI, Article 3 of the GDPR fully applies to personal 
data processed in the United States. 


22 See file 26, Response to information request 4, March 13, 2023. The AP asked Uber for the number of registered drivers in the EU. 

The AP has provided a number of reference dates for this to get an impression of the number of drivers over a period. Uber provided figures 
for drivers who completed at least one trip in the 28 days prior to a reference date. 

23See file 30, Additional answers from Uber March 23, 2023. 


24 See file document 17, Response to information request 2, August 9, 2021, page 6. 
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Onder verwijzing naar de geactualiseerde SCC’s van de Europese Commissie25 geeft Uber het volgende aan: “In 

light of this, Uber revisited its joint controller agreement to delete the SCCs,and to clarify joint controller 

responsibilities. Therefore, Uber has adopted a new version of its joint controller agreement, in which the new regulatory 
requirements and relationship between UTI and UBV are reflected”.26 


Data Sharing Agreement that Uber refers to has a version date of August 6, 2021. Based on Uber's statement, the AP 
therefore determines that Uber has adopted the standard contractual clauses for the transfer of personal data to third 
countries from the above-mentioned agreement as of August 6, 2021. removed.27 Uber had subsequently not 
implemented any other transfer instruments, such as binding corporate rules or a certification mechanism.28 


45. On 10 July 2023, the European Commission adopted the adequacy decision 'EU-US Framework for 


46. The 


data protection'.29 Uber certified under the EU on November 27, 2023 
US Data Privacy Framework.30 Uber says the following in its privacy statement31: 


“When we transfer userdata from the EEA, UK and Switzerland, we do so on the basis of the necessity to fulfill our 
agreements with users, consent, adequacy decisions regarding the country of transfer (available here, here or here), 

and transfer mechanisms such as the Standard Contractual Clauses adopted by the European Commission (and their 
approved equivalents for the UK and Switzerland), and the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK 
Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), as set forth by the U.S. 
Department of Commerce. [...JUTI has certified to the United States Department of Commerce that it adheres to (1) the 
EU-U.S. Data Privacy Framework Principles regarding the processing of personal data received from EEAmember 

countries in reliance on theEU-U.S. DPF [...]In the event that the EU-U.S. DPF or the Swiss-U.S. DPF are invalidated, 

Uber will transfer data that is subject to these certifications in reliance on the other data transfer mechanisms described above. 


” 


Uber's view 


AP is of the opinion that Uber violated Article 44 GDPR because Uber allowed transfers of personal data to the United 
States from August 6, 2021 to November 27, 2023, while there was no valid adequacy decision and no appropriate 
safeguards were provided as provided in Chapter V of the GDPR. The AP summarizes Uber's view in Chapter 3. 
Chapter 4 provides the AP's legal basis for the violation and also the AP's response to Uber's view. 


Application of Chapter VGDPR 


25 Implementing Decision (eu) 2021/914 of the European Commission. 

26 See file document 17, Response to information request 2, August 9, 2021, page 5. 

27 See file document 17 Response to information request 2, Appendix UBV-UTI Data Sharing Agreement 
28 See Articles 46 and 47 GDPR for a complete overview. 

29 htips://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcbOfddf_en 
30_https://www.dataprivacyframework.gov/list 
31_https://www.uber.com/legal/nl/document/?name=privacy-notice&country=france&lang=en 
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47. Uber is of the opinion that Article 44 GDPR has not been violated, because Chapter V of the GDPR does not apply 
applies to the investigated processing operations. Firstly, according to Uber, Chapter V does not apply, 
because Article 3 GDPR already applies. According to Uber, Chapter V is intended to accommodate cases that fall 
outside the scope of Article 3 GDPR, so that the protection offered by the GDPR is not undermined. Because the data is 
already protected by the application of Article 3 GDPR, the simultaneous application of Article 3 GDPR and Chapter V 
GDPR is duplicative and therefore meaningless. 


48. Secondly, Uber argues that Chapter V is subordinate to Article 3, and therefore cannot be applied simultaneously 
be applied. According to Uber, any other explanation is contrary to the EU's international obligations, in particular the 
WTO Agreement and the associated GATS agreement. It follows from these international commitments that 
Member States may not treat non-European entities more disadvantageously than European entities under the 
agreement. Case law has established that derived Community law, including the GDPR, must be 
interpreted as much as possible in line with international law. A simultaneous application of Article 3 GDPR and 
Chapter V is contrary to the EU's obligations under international law and the obligation to interpret derived Community 
law in line with international law. Therefore, the relationship between Article 3 GDPR and Chapter V GDPR 
must be interpreted in such a way that they cannot apply simultaneously. 


The concept of ‘transfer’ 

49. Uber states that the concept of 'transfer' is not defined by the GDPR. This was a conscious choice by the European legislator 
who did so despite the objections and advice of various institutions such as the EDPS, the EECC and the EDPB. In 
addition, European data protection authorities, including the AP, never implemented the concept until February 14, 2023, 
despite the fact that this was requested by various stakeholders. Only on February 14, 2023 did the EDPB provide an 
interpretation of the concept of ‘transfer’, but in addition to the fact that it itself admits that it is a legally uncertain concept 
because the GDPR does not provide a definition of it, the EDPB's interpretation itself is only one possible interpretation 
and, moreover, non-binding. In addition, the EDPB has requested the EC to further clarify the concept. The AP 
cannot rely on this single interpretation for the above reasons 


further substantiation. 


There is no question of transfer in the present case 

50. Uber further argues that there is no transfer because, according to the EDPB guidelines, 
there must be a processor or controller who acts as an exporter of the personal data, while in this case it concerns data 
subjects who themselves make the personal data directly available to UTI. Insofar as it is argued that Uber 
exports the data because the drivers do so under the responsibility of UBV, this argument is unsuccessful, because 
the AP is thereby introducing a new standard that does not follow from the guidelines or from the GDPR. In addition, the 
argument is unsuccessful because 1) the actual data transfer must be assessed, 2) it does not follow from the qualification 
as joint controller that UBV itself makes the personal data available and 3) nor does it follow from the factual and legal 
division of responsibilities between UBV and UTI that UBV is responsible for sharing personal data with UTI when a driver 
does so. 
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Transfer tools and grounds for exception 


51. Uber states that even if there were a transfer, this transfer would be in accordance with Chapter V 


GDPR. First, Uber implemented standard contractual clauses in the Data Sharing Agreement 
(DSA) between joint controllers UBV and UTI until August 6, 2021 as an optional safeguard 

for the data traffic under investigation. Uber has removed the standard contractual 

clauses from this in good faith, because on June 4, 2021, the EC, with the introduction of new 
standard contractual clauses, stated in its considerations that the new standard 

contractual clauses may not be used to the extent that the processing by the importer falls within 
the scope of art. . 3 paragraph 2 GDPR. The lack of any progress by the EC in developing standard 
contractual clauses specifically for importers who already fall within the scope of the GDPR also 
shows that the EC has so far taken the position that application of art. 3 GDPR excludes the 
application of Chapter V GDPR. In any case, according to Uber, it is certain that no standard 
contractual clauses were available to Uber in the meantime. Next to the 

standard contractual clauses, according to Uber, all alternative transmission instruments are 
currently not realistic alternatives. 


52. Secondly, any transfer of personal data by Uber is lawful, because Uber believes that it can rely on the 


53. 


exception of art. 49 paragraph 1 sub b and c GDPR. Uber states that transfer based on art. 49 
GDPR does not require that the level of protection in the third country broadly corresponds 

to the level of protection guaranteed within the EU by the GDPR. Exclusively meeting the 
conditions stated in art. According to Uber, 49 GDPR is sufficient. This follows, among other 
things, from the wording of the GDPR and from legal consideration 202 of Schrems II. 


In any case, according to Uber, both exception grounds do not require, as the AP states, that the 
transfer is "incidental". Although this follows from consideration 111 of the GDPR, this is at odds 
with the text of the GDPR itself, the case law of the CJEU and the central government's manual. 
Firstly, ‘incidental’ is not in the text of the GDPR. In fact, it says that art. 49 can also be used for a 
series of transmissions. Secondly, GDPR considerations do not create a new standard and do not 
have independent legal force, as is also confirmed by standard case law of the CJEU, among others. 
Thirdly, judges do not use ‘incidental’ as a condition, and art. 49 can be interpreted broadly in the 
case of data transfer within companies or within a group of companies. Fourthly, the Ministry of 
Justice and Security manual does not mention 'incidental' as a condition. In addition, grounds b 
and c do require that the transfer is necessary, but this does not have to be close and 

substantial, as follows from Dutch case law. 


54. Uber argues that if it is assumed that there is an international transfer, it is possible 


relying on art. 49 paragraph 1 sub c for the situation in which drivers make GDPR requests and on 
art. 49(1)(b) for cases in which drivers use the driver app. 


55. As for the situation where GDPR requests are made by drivers, this transfer meets all the 


conditions of art. 49 paragraph 1 sub c GDPR.. In particular because the transfer 
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is necessary for the conclusion or performance of a contract concluded in the interests of the 

data subject between the controller and another natural or legal person. The agreement has been 
concluded in the interest of the data subject, because the DSA regulates and facilitates the GDPR rights 
that constitute and support the data protection of the drivers, this also follows from Art. 26 GDPR and the 
associated recital 79. The transfer is furthermore necessary for the execution of the agreement. The transfer 
takes place in the context of the DSA and is directly related to the completion of access requests. In 
addition, data transfer is unavoidable due to Uber's centralized IT infrastructure, which in turn is crucial 

for Uber's specific services as well as for the global application of Uber's technical and organizational GDPR 
measures. Finally, according to Uber, there is very little data transfer in the context of access requests (only 
25 per month). 


56. With regard to the situation in which drivers use the driver app, the transfer meets all the conditions of art. 49(1)(b), and in 
particular the condition that a transfer is necessary for the performance of a contract between the data subject and the 
controller (UBV and UTI via the DSA). According to Uber, necessity results from the ability to comply with the 
agreement between UBV and the driver. Uber must fulfill its contractual obligation to provide rides, and can only do so 
based on data transfer from the driver (e.g. his location). The data transfer is therefore necessary to execute the 


contract between the driver and Uber. 


4. Assessment 


4.1 Processing of personal data 


57. The AP makes the following assessment. Using the driver app requires creating a 
account for drivers required. The documents and personal information collected during this registration enable 
Uber to start its processing activities of personal data of Uber drivers. 


58. The AP has established in paragraph 2.3 that Uber processes various data from Uber in that context 
drivers. In addition to account data, location data, photos, proof of payment and reviews, Uber also processes 
other data (depending on the legal rules in a country), such as identity documents, criminal law and health 
data. 


59. The AP is of the opinion that Uber processes personal data as referred to in Article 4, parts 1 and 2, 
of the GDPR. 


4.2 Controller and authority of AP 
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60. Uber BV is a company established in the Netherlands and is part of the Uber group. Uber 
Technologies Inc. is located in the United States and is the parent company of Uber BV, among 
others. The (French) drivers have entered into an agreement with Uber BV 


61. The terms “controller” and “processor” are functional terms: they are intended 
to allocate responsibilities according to the actual roles of the parties, which means that the legal 
status of a party as “controller” or as “processor” should in principle be determined by its actual 
activities in a specific situation, and not by the formal designation of a party as “controller” 
or “processor” (e.g. in an agreement). 32 


62. Uber BV and Uber Technologies Inc. jointly determine the purposes and means of the processing 
for the personal data of Uber drivers in the European Economic Area (EEA). The AP is therefore of 
the opinion that UBV and UTI should be regarded as joint controllers for the international 
transfer that is part of two larger series of processing activities as described in situations 1 
and 2. The joint controller has not been disputed by Uber. For requests 
regarding the rights of data subjects (situation 2), the division is that UBV is responsible for assessing 
such requests and that UTI provides the technical resources and personal data. UTI is also 
the publisher of the driver app. 


63. The AP further notes that when processing personal data of Uber drivers, 
data is processed in the context of the activities of an establishment of a 
controller or processor in the Union, as provided for in Article 3(1) of the GDPR. 


64. Finally, Uber offers its services in several EU member states and processes Uber for these services 
personal data. This means that data subjects in more than one Member State are 
materially affected by the processing of personal data by Uber. This constitutes cross- 
border processing (Article 4, opening words and 23 (a) and (b) GDPR). The AP notes that Uber's 
central administration in the EEA is located at Uber BV. Therefore, Uber BV is regarded as a principal 
place of business within the meaning of Article 4, section 16, GDPR. In view of this, the AP is 
competent to act as the leading supervisory authority within the meaning of Article 56(1) GDPR. 


4.3 Territorial scope and Chapter V GDPR 


65. Uber is of the opinion that Article 3 GDPR and Chapter V GDPR cannot apply simultaneously.33 


32 See EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR, p. 3 and 10. 


33 See "View of Uber research report on intention and enforcement to of June 9, 2023, point 6.2.2., p. 28-31. 
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66. The AP notes that the rationale for data transfers in accordance with Chapter V GDPR is 


67. 


complementary to the rationale for the territorial scope of the GDPR as laid down in Article 3. 
Namely, the prevention of the protection afforded by EU law with regard to data being compromised. 
withheld, or that this protection is undermined or circumvented.34 By declaring EU law applicable 
to processing operations that take place outside the borders of the EEA, Article 3 GDPR aims to 
ensure the high level of data protection guaranteed by the GDPR. 35 The provisions in Chapter 
V GDPR on transfers achieve this by mandating the application of protection based on EU 
standards to such processing operations.36 It should be noted that while the GDPR applies to 

all processing operations under Article 3 GDPR, de 

application of the GDPR outside the EEA territory does not provide the same protection. The 
application of the GDPR in the Union is based on the legal framework of EU regulations in areas 
such as the recognition and enforcement of judgments/judgments, the legal order, 

the independence of the judiciary and the Data Protection Authorities and other basic areas 

that, by their nature, do not apply to third countries.37 In several judgments relating to 
international data transfers, the CJEU expresses this concern by assessing whether the personal 
data have been processed in a manner that complies with EU standards. 38 

The AP therefore notes that the provisions in Chapter V contain mechanisms that counterbalance 
the difficulty of enforcing obligations under EU law against parties in third countries. The AP is of 
the opinion that any other interpretation of these mechanisms would lead to a weakening of the 
protection offered within the Union, which does not correspond to the standard required by the 
CJEU.39 


In further explanation of the foregoing, the AP notes that it is difficult within the jurisdiction of the 
United States to enforce compliance with the GDPR against foreign companies, including 

Uber. To counter this, the data transfer provisions in Chapter V GDPR do not impose a direct 
obligation on parties that process data in third countries by requiring them to adhere to the standards 
of the GDPR. 


68. With regard to Uber's argument that Article 3 GDPR prevails over Chapter V, or the argument not 


to apply provisions from Chapter V when Article 3 GDPR applies, the AP notes 


* Data protection concepts should be interpreted broadly so that no one is deprived of full and adequate protection. 
This view is expressed by the CJEU in judgments on international data processing which indicate the need to ensure consistent and uniform application of the Charter and 
to avoid circumvention of protection. See in that regard C-311/18, ECLI:EU:C:2014:317, ro 
Schrems Il, ECLI:EU:C:2020:559, ro 101 en C-131/12, Google Y Spain, 
54 in 58. 
* Recital 23 of the GDPR. 
36 C-362/14, Schrems , ECLI:EU:C:2015:650, ro 73. 
37 For example, Article 36 GDPR requires prior consultation with the relevant Data Protection Authority in those cases where data processing would lead to a high risk. 


However, the GDPR does not contain any provisions to determine a competent Data Protection Authority for data processing outside the Union. 


38 C-362/14, , E@MHTEUIG:2015:650, paragraph 90, Conclusion 1/15, EU- Canada PNR Agreement —, ECLI:EU:C:2017:592, ro 212-215 en C-311/18, Schrems Il 
ECLI:EU:C:2020:559, paragraph 184. Regarding the view of the CJEU that Data Transfers EU:C:2003:596. ‘must ensure a high level of protection essentially 
equivalent that under Ilaw' to in C-101/01, Bodil 

39 In that context, see for example C-40/17, LindqvistFashion ID GmbH & 6G, ECLI:EU:C:2019:629, ro 50. 
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that any variation on the described interpretation would conflict with the status that Chapter V has 
within the structure of the GDPR. Article 44 GDPR establishes the link between Chapter V 

and the other provisions by stating that transfers of personal data may only take place if all other 
relevant provisions of the GDPR are met.40 The CJEU has confirmed this view by stating that 
the transfer of personal data to a third country is processing that falls within the scope of the 
GDPR and that where the GDPR applies, the provisions regarding data transfers must also 
apply.41 Furthermore, the European Data Protection Board (hereinafter: EDPB) states that the 
application of the GDPR entails that all provisions of the GDPR apply to processing 

operations that fall within the territorial scope of the GDPR.42 Including the obligations set out in 
Chapter V of the GDPR. 


69. The AP notes that there are important differences between Article 3 GDPR and Chapter V GDPR and emphatically states that 
Article 3 GDPR does not prevail over Chapter V. Moreover, there are consequences for not applying Chapter V GDPR. The 
territorial scope laid down in Article 3(1) of the GDPR means that the Regulation applies to processing of personal data 
carried out in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether 
the processing takes place in the Union takes place. The GDPR therefore also applies if the processing does not 
technically take place in the Union, but is bound by the GDPR through a permanent relationship with a permanent 
establishment in the Union (such as a branch or subsidiary). Such a ratio is adopted quite quickly, for example if the 
establishment in the Union generates income for the parent entity in the third country. This is certainly the case 
between Uber BV and UTI in the present case. In contrast, the provisions on data transfers set out in Chapter V address 
the specific context of transfers of personal data to an entity in a third country by a processor or controller, where the 
exporter of the personal data must implement appropriate safeguards to ensure that the personal data is of an 
equivalent level of enjoy the protection that the GDPR offers within the Union. This protection is therefore complementary to 
Article 3 GDPR. This additional set of provisions of the GDPR sets a high standard of protection both in practice and in law to 
prevent the protection offered by EU law from being circumvented.43 


70. Finally, with regard to the relationship between Article 3 GDPR and Chapter V GDPR, Uber submits 
that the GDPR (being derived Union law) must be interpreted in accordance with international 
agreements, in this case the WTO agreements. 


40 Article 44 GDPR states that data may only be transferred if the conditions set out in Chapter V are met, which means that compliance must be ensured 
before the transfer takes place. 

41 C-311/18, Schrems II, ECLI:EU:C:2020:559, ro 83. 

42 EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), p. 5. 

43 The CJEU noted in its judgments that the GDPR must provide sufficient protection, both in law and in practice, see C-362/14, Schrems, 
ECLI:EU:C:2015:650, paragraphs 64-65 and 95 , Cortdllustamad’d BNFEAgrbdrhbi? :2017:592, marginal 220. C-311/18, Schrems 1, 
ECLI:EU:C:2020:559, ro 105 en 187. 
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71. Uber notes, firstly, that the European Union, and each of its Member States, is a party to the Marrakesh 
Agreement Establishing the World Trade Organization (WTO Agreement)44 and the annexes to the WTO 
Agreement (including the GATS Agreement) .45 It follows from these international agreements that non- 
European entities, such as UTI, may not be treated more disadvantageously than European entities by 
the participating states. Because, according to Uber, a simultaneous application of both the obligations of the 
GDPR based on Article 3 GDPR and Chapter V GDPR would be more disadvantageous for UTI as a non- 
European entity, Uber is of the opinion that both systems cannot apply simultaneously. In conclusion, the 
AP's explanation, namely that Chapter V and Article 3 of the GDPR can be applied simultaneously, is, 
according to Uber, contrary to the EU's international obligations. 


72. Although the AP will not dispute that the GDPR should in principle be interpreted as much as possible 
in accordance with international agreements, it must conclude that Uber's argument fails to recognize that 


case law has already established that the explanation proposed for Uber must meet two cumulative 
conditions, namely: 


1. The nature and structure of that agreement (the WTO agreement in this case) do not prevent an action for annulment or objection of 
illegality from (derivative) Union law (the GDPR); 


2. The provision (the WTO Agreement) is sufficiently unconditional and sufficient in substance 
precise in order to bring about an action for annulment or objection of illegality of secondary Union law 
(the GDPR).46 


73. It follows from settled case law that the WTO agreement does not meet at least the first requirement. 
Its nature and design preclude the WTO agreement from taking precedence over the GDPR. It also 
opposes the statement that the WTO agreement is leading for the interpretation of secondary Union law 
(such as the GDPR).47 In this context too, the AP therefore maintains its position that Article 3 of the 
GDPR (and all obligations arising from it) ) and Chapter V GDPR apply simultaneously in this case. 


74. In addition, paragraph 3 of the introduction to the attached list to which Uber refers in its written opinion48 
states in so many words that the rights and obligations arising from the GATS, including the list of 
commitments, do not have direct effect, “so that there are no direct rights for individual natural or legal 
persons. Uber cannot therefore rely on the WTO agreement and the associated GATS commitments 
in the present case. 


4.4 Is there a transfer of personal data? 


“ Marrakesh Agreement establishing the World Trade Organization 15 april 1994. 
*° General Agreement on Trade in Services _ 15 april 1994. 


46 See in particular judgment of 13 January 2015, Council and Others v Vereniging Milieudefensie and Stichting Stop Luchtpollination Utrecht, C-401/12 P-C-403/12 P, EU:C:2015:4, paragraph 54 and the case-law cited. 
47 See, in particular, judgments of 23 November 1999, Portugal v Council, C 149/96, EU:C:1999:574, paragraph 47; March 1, 2005, Van Parys, C 377/02, EU:C:2005:121, paragraph 39, and February 4, 2016, C & J Clark 


International and Puma, C 659/13 and C 34/14, EU:C: 2016:74, paragraph 85. 


“ List of specific commitments of the European Union annexed to the General Agreement on Trade in Services (GATS) (OJEU 2019/C 278), p. 59. 
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egal framework 


Article 44 GDPR provides that “personal data which are being processed or which are intended to be processed 
after transfer to a third country or to an international organization may only be transferred if, without prejudice to 
the other provisions of this Regulation, the controller and the processor have met the conditions laid down in 
this chapter; this also applies to onward transfers of personal data from the third country or an international 
organization to another third country or another international organization. All provisions of this Chapter shall 

be applied so that the level of protection guaranteed to natural persons by this Regulation is not 

undermined.” 


Furthermore, Recital 101 GDPR notes ‘f...] However, where personal data are transferred from the 

Union to controllers, processors or other recipients in third countries or international organizations, this should 
not be detrimental to the level of protection afforded to natural persons in the Union by this Regulation, including 
in cases of onward transfers of personal data from the third country or international organization to 

controllers or processors in the same or another third country or in the same or another international 
organization. [...] In any case, transfers to third countries and international organizations may only take place 

in full compliance with this Regulation. A transfer may only take place if the controller or processor, 

subject to the other provisions of this Regulation, complies with the provisions of this Regulation regarding 
transfers of personal data to third countries or international organizations.” 


The GDPR does not define 'transfer'. However, in its Guidelines, the EDBP has established three cumulative 
criteria that a transfer must meet: 


7. A controller or processor (“exporter”) is subject to the GDPR for the particular processing 


activity. 


2. Personal data which are the subject of this processing will be processed by the exporter through 


forwarded or otherwise made available to another controller, joint controller or 
processor (“importer”). 49 


3. The importer is located in a third country (regardless of whether or not this importer is for the specified 


78. 


processing activity is covered by the GDPR in accordance with Article 3) or is an international organization. 50 


If the above criteria are met, this constitutes a transfer and Chapter V GDPR applies. This means that the transfer may only take 
place under the conditions set in an adequacy decision of the European Commission51 or by providing appropriate guarantees.52 


If these are not met, the GDPR provides for derogations (exceptions) for specific situations. 53 


49See also EDPB Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR. 
50EDPB Guidelines 05/2021 on the interaction between the application of Article 3 and the provisions on international 
transfers under Chapter V of the GDPR, p. 7. 


51 Article 45 GDPR. 
52 Article 46 GDPR. 
53 Article 49 GDPR. 
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In the present case, the AP assesses whether the processing operations described in situations 
1 and 2 can be regarded as transfers of personal data where the provisions set out in 
Chapter V GDPR must be met. 


4.4.2 Assessment 


80. With regard to the first criterion, the AP determines that the processing meets the requirements of Article 


3(1) GDPR, namely that a controller or processor is subject to the GDPR with regard to the 
processing in question.54 This conclusion is supported by Uber recognized. More specifically, Uber 
has stated that UBV, in relation to the processing of Uber drivers' personal data in the EEA, is 
subject to the GDPR. And Uber further emphatically states that both UBV and UTI are bound by the 
GDPR under Article 3(1) of the GDPR. 


81. With regard to the second criterion, Uber states that there is no transfer. Uber explains this by stating the following: “Chapter V of 


the GDPR does not apply to certain aspects of Uber's business and the related international data flows cannot be regarded 
as international data transfers” because UBV and UTI are joint controllers for whom the GDPR is directly applicable 
pursuant to Article 3(1) GDPR. Despite this reasoning, Uber nevertheless acknowledges that data is being transmitted 
between UBV and UTI. But according to their written statements, they believe that these should not be classified as 
transfers because both UBV and UTI are covered by the GDPR. 55 


82. The AP takes a different view. As previously noted, failure to apply Chapter V GDPR because 


To include UBV and UTI directly under the GDPR would undermine the GDPR's high level of 
protection. Transfers can take place under different types of circumstances where entities are 
subject to the GDPR under Article 3 GDPR. Transfers between joint controllers covered by 
Article 3 may also take place and are not excluded from the GDPR's provisions on transfers. This 
view is in line with the position of the EDPB as reflected in the second criterion for 

transfer: “Personal data which are the subject of this processing are provided by the exporter by 
means of retransmission or otherwise made available to another controller , joint controller or 
processor (“importer”’)”. 


83. The CJEU requires that data protection be effective in law but also in practice. This means that effective 


redress mechanisms and legal remedies against violations of the GDPR must be available.56 If the 
processing in question is covered by the GDPR and the personal data is processed by an entity 
outside the Union, then the processing is subject to legal frameworks that may conflict are 


54 See also section 4.2. and EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3). 

55 File document 11, Response to information request 1, Appendix to International Data Flows, p. 6. 

56 See also EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) and C-311/18; Schrems II, ECLI:EU:C:2020:559, ro 186- 
189. 
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with or undermine the GDPR. Regulations regarding international transfers therefore counterbalance the difficulty in enforcing 
obligations under EU law against parties outside the Union. 


According to the CJEU, the concept of controller as laid down in Article 4, opening words and point 

7, of the GDPR must be interpreted broadly in order to ensure effective and complete protection of 
data subjects.57 In the opinion of the AP, this view should be can be applied analogously to the 
concept of 'exporter'. A restrictive interpretation of the 'exporter' criterion would mean that Uber drivers 
are not effectively and fully protected, because then there would be no 

of an accountable exporter who is responsible for complying with obligations regarding the transfer of 
personal data outside the EEA. The exporter is the entity that must comply with Chapter V transfer 
regulations and assess what appropriate safeguards are necessary to ensure an equivalent level of 
protection for personal data (as guaranteed under the GDPR). In addition, the data subject must be 
able to hold the controller accountable for his or her accountability within the meaning of Article 5(2) jo. 
44 GDPR. 


85. Furthermore, the CUEU requires that personal data originating from the Union have a high 


should enjoy a level of protection even if they are processed in or transferred to third countries. Any 
interpretation or implementation of the provisions of Article 3 and Chapter V shall conform to that 
standard. For this reason too, the AP is of the opinion that the concept of ‘exporter’ in the second 
criterion, as elaborated in the EDPB Guidelines, should not be interpreted restrictively. 


86. Due to developments in law and case law, a restrictive interpretation is also not consistent with the aim of 


87. 


providing a high level of protection to personal data. From the moment the Charter of Fundamental 
Rights of the European Union (hereinafter: the Charter) became primary law,58 the CJEU has relied 

on the Charter to emphasize the high level of protection for international transfers in the context of 
international agreements of the Union,59 Commission adequacy decisions60 and Commission Standard 
Contractual Clauses (SCCs). *" In light of this 

judgments, the AP views international transfers from the perspective that providing a high level of 
protection is the starting point and the AP interprets the term 'exporter' broadly. 


In the present case, and taking into account technical developments, the ‘exporter’ criterion (a 
controller or processor in the EEA who transfers personal data to a third country) deviates from the 
so-called classic model. To illustrate this, the AP notes that within the given context, Uber provides 
the data subject - the Uber driver in the EEA - with extensive instructions on how to provide specific 
personal data. In addition, Uber drivers must adhere to conditions set in advance by Uber with regard 
to: 


57 See, for example, C-210/16, Independent Center for Data protection Schleswig-Holstein  Y- Schleswig-Holstein Business Academy 
ECLI:EU:C:2017:796, paragraphs 28 and C-25/1Jehovah’s witnesses _, ECLI:EU:C:2018:551, ro 66. 

58 See also Article 6(1) TFEU. 

59 Conclusion 1/15, EU- Canada PNR Agreement, ECLI:EU:C:2017:592, marginal 119-231. 

60 C-362/14, Schrems , ECLI:EU:C:2015:650, ro 38-40. 

61 C-311/18, Schrems II, ECLI:EU:C:2020:559, ro 99. 
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others the processing of their personal data in the context of a (pre)contractual 

employment relationship. Furthermore, Uber employees in the EEA, for example UBV employees, 
must adhere to Uber's internal policies that prescribe mediation between the Uber driver and 
UTI. * Uber also explained that when an Uber driver encounters problems, for example 
when taking the mandatory profile photo for the driver app, the Uber driver can go to a Greenlight 
Hub location in the EEA where an employee will assist the Uber driver (on site) in taking a photo 
with the driver's smartphone Uber driver. The Uber driver can then upload the profile photo to the 
UTl-managed Uber IT platform with the employee's instructions. In this specific case, the 
personal data is technically transferred from the data subject's personal device from the 

EEA to the UTl-operated Uber platform located in a third country. 

However, despite these processing activities instructed by Uber, which take place prior to and during the contractual 
relationship between the Uber driver and UBV, Uber attributes the continuous transfer of personal data from the EEA toa 
third country in situations 1 and 2 to the data subject. 


88. The AP notes that Uber drivers provide their personal data by posting it on the Uber 


89. 


platform and that these are collected by Uber via the personal device of the Uber driver, within 

the EEA, and end up on Uber's IT systems (managed by UTI) in the United States. This results in 
data traffic of personal data from the EEA to the United States. 

In the opinion of AP, however, this does not in any way mean that the forwarding of data by Uber, 
as it took place and still takes place in accordance with the description of situations 1 and 

2, does not constitute a transfer of personal data from UBV to UTI within the meaning of the 
GDPR.63 Uber uses the driver app as a technical tool to transfer personal data from the EEA to 
the United States. UBV therefore shares responsibility and has (technical) control over the transfer 
of personal data from the EEA to the United States. 


Furthermore, the AP is of the opinion that the question of whether there is international 

transfer should not only be assessed on the basis of the finding that it is the driver who operates 
the driver app via his private device. It must also be taken into consideration that Uber exerts a 
great deal of influence on the context in which those actions and the driver's will are made. This 
context consists of various elements predetermined by Uber that in fact leave the driver no choice 
but to enter the data in the Uber app. The following will explain what these elements are and how 
they determine the context in which the data transfers take place. It will become clear that the 
attribution of the transfer to the driver by Uber (which is only a link of minor significance in the 
entire process and context of the processing) undermines the protection that the GDPR offers for 
the processing of personal data. 


* An example of these policy rules was further explained during the opinion session, see the minutes of the meeting held on July 5, 2023 

opinion hearing. 

63 With the exception of the case where Uber sends personal data from the US to the EEA when responding to requests from data subjects about the 
exercise of their GDPR rights. 
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90. Firstly, the modern revenue model as well as the technical architecture of the platform and 
Uber's internal policies are designed in such a way that they serve Uber's business purposes. 
In the present case, UBV, which enters into an agreement with the Uber drivers (on 
EEA territory), is regarded as the controller who, in a pre-contractual employment- 
related relationship, initiates the collection of personal data via the Uber platform. The 
drivers at this stage provide their personal data via their personal device, within the EEA, on 
the driver app platform operated by UTI located outside the Union. From that moment on, Uber 
continuously collects and processes personal data via the Uber driver's personal device. 
Subsequently, the personal data of Uber drivers in the EEA 
made accessible by transmission or otherwise to, and stored on, UTI's servers in the United 
States. The AP therefore concludes that in the contractual relationship between Uber 
drivers within the EEA and UBV, UBV is the exporter of the personal data and UTI the importer. 


91. This view is consistent with 'providing effective and complete protection’ of personal data 
required by the CJEU. Furthermore, this explanation is not contrary to the Guidelines.64 
The Guidelines provide various examples that illustrate the situations in which processing 
should be regarded as a transfer. However, an example of a situation such as that occurring in 
the present case, more specifically an example of an 'exporter' in the context of a (pre)contractual 
employment-related relationship, is not given. In this case, the data subjects provide the personal 
data through their personal device on the platform operated by a third-country entity, UTI. The 
contractual relationship between Uber drivers in the EEA and UBV - where the conditions are 
unilaterally determined in advance by Uber - makes it possible for Uber drivers in the EEA to 
gain access to the platform for Uber drivers. The core activity of providing transportation 
services on Uber's platform requires the Uber driver to upload personal data and for Uber to 
continuously collect personal data from the Uber driver's device. The personal data are 
then processed for various purposes jointly determined by UBV and UTI, involving transfers 
from the EEA to the United States. 


92. The AP's view, in which UBV is regarded as the ‘exporter’ and UTI as the ‘importer’, is also 
confirmed by the details below in the relationship between the Uber drivers and Uber 
(UBV and UTI). 


¢ The platform for Uber drivers is designed by Uber in such a way that the Uber driver must enter 
their personal data into the platform via their personal device in order to access the platform, 
plan activities (i.e. information events), receive support and to provide transport services. Uber 
also stipulates that the personal data of drivers in the EU will be processed on UTI's platform in 
a third country. The limited actual influence that Uber drivers have over their personal data vis-a- 
vis controllers is an important factor in the present case. qualify UBV as an exporter; 


64 EDPB Guidelines 05/2021 on the interaction between the application of Article 3 and the provisions on international 
transfers under Chapter V of the GDPR. 


25/48 


Machine Translated by Google 


AUTORITEIT 
PERSOONSGEGEVENS 
Datum Our feature 
July 22, 2024 [confidential] 


¢ With regard to the collection of personal data and/or otherwise processing 
personal data of Uber drivers via the Uber platform by UBV and UTI, AP reiterates that the purposes and means 
for the processing of personal data are determined unilaterally by UBV and UTI. If a data subject decides 
to become an Uber driver in the EU, this requires an account on the Uber platform65 and subsequent acceptance 
of the terms and conditions. By agreeing to the terms and conditions, the Uber Driver enters into a contract with 
UBV which subsequently subjects the Uber Driver to the predetermined purposes and means of the processing 
of their personal data by UTI and UBV; 


* The AP emphatically notes that although the Uber drivers entered into the contract of their own free will, this 
does not automatically mean that they have influence in determining the purposes and means of processing 
their own personal data. Especially since the general terms and conditions that Uber drivers must accept 
have been drawn up in advance and cannot be negotiated. Furthermore, Uber exercises full authority over the 
activities on the platform and the data processing resulting from these activities. For example, Uber influences 
certain aspects of Uber drivers' behavior by providing financial incentives to conduct more trips and by allowing 
passengers to rate their Uber driver, which may result in the Uber driver being banned from the platform .66 


93. The AP has also found that Uber also has control in other ways through their platform 
about the behavior of Uber drivers and their personal data, namely: 


* Uber drivers are controlled by an algorithm of the driver app that has been determined in advance by Uber and 
through which Uber exercises control over data processing.67 In addition, Uber sets certain requirements 
that an Uber driver must meet. To demonstrate that these requirements are met, the Uber driver must upload 
documents with personal data to the platform. 
For example, as an Uber driver you must have a car. The vehicles permitted to be driven on behalf of 
Uber must meet certain conditions that appear to vary from country to country where Uber transportation services 
are provided. The vehicles must be approved and meet the condition of compulsory insurance. The driver must 
also have a driver's license and may not have a criminal record. These documents are reviewed by UBV and 
UTI before an Uber driver is given permission and/or permission to accept rides in his area. 


* Based on the quality of the driver and the type of vehicle are those offered by Uber 
transport services divided into categories. 
[confidential] 


65 The Uber driver's personal data is then entered on servers owned and operated by UTI. These servers are located in the United States where the personal data is further 
processed. 

66 District Court of Amsterdam, ECLI:NL:RBAMS:2021:5029, paragraph 1.13. 

67 Ibid, r.o. 16-35. 
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The remaining amount is paid to the Uber driver.68 In order to carry out this, the personal data 
of Uber drivers are processed by UTI and UBV. 


* Uber enables passengers to access their platform and perform the transportation services subject to the terms and conditions 
imposed by Uber that are binding on the drivers through an agreement for the use of the platform. The conditions relate 
to the acceptance and pursuit of activities and even the behavior of drivers during the provision of the service. For 
example, as described earlier, the driver app contains a rating function that allows passengers to rate the drivers and vice 
versa. For this purpose, the passenger in question needs the personal data of his Uber driver so that he can assess the 
quality of the ride and other aspects of the ride provided by the Uber driver. An average rating that falls below the 
threshold value could (previously) lead to exclusion from the platform, especially for drivers. Uber therefore exercises 
control over the quality of the services provided by their drivers. Uber cannot perform these activities without 


processing personal data. In particular, granting and denying access to the platform requires personal data about the relevant 
Uber driver. 


« As mentioned earlier, Uber assigns different classifications to the Uber drivers such as Gold, 
Platinum or Diamond. In order to perform these activities for the above purposes, Uber 
maintains information about drivers. 


* Drivers who make a lot of trips are financially rewarded by Uber. Uber informs drivers where 


and when they can count on a large number of rides and/or preferential ride prices. Disputes 
between a passenger and driver reported on the platform, for example about the fare price, are 
also handled by Uber. Uber can unilaterally decide to refund the fare (in whole or in part) to the 
passenger, after which the driver will be paid a lower amount for the ride.69 


94. Based on the above, it can be concluded that Uber's activities in EEA 
territory and beyond consist of offering rides in a vehicle located and booked through the 
platform. Providing this service is the core of Uber's revenue model. The service is 
also offered and understood in this way by those requesting rides. When ride requesters 
decide to use the Uber platform, they are looking for a transportation service that offers certain 
features and a specific quality standard. Such aspects are determined and guaranteed in advance 
by Uber. The AP therefore believes that Uber exercises control over important aspects of 
the transport service offered through their platform. This type of control includes the collection 
and further processing of Uber drivers' personal data in the EEA, including the transfer of their 
personal data to third countries. 


68 C-434/15, Professional Association Elite taxiv Uber Systems Spain SL, ECLI:EU:C:2017:981, ro 48. 
69 District Court of Amsterdam, ECLI:NL:RBAMS:2021:5029, paragraph 1.16. 
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95. In the present case, the AP expressly notes that the processing in question cannot be regarded as ‘internal 
processing'.70 There are two controllers, UBV established in the EU and UTI established in the United 
States. These entities jointly determine the purposes and means of processing personal data of Uber 
drivers as described in situations 1 and 2. Furthermore, the data subjects in question have no 
control over these purposes and means of processing the personal data in question. The Uber drivers 
cannot therefore be regarded as controllers within the meaning of the GDPR for the processing of personal 
data as described in situations 1 and 2. 


96. Finally, the third criterion requires that “the importer is located in a third country (whether or not this importer 
is covered by the GDPR for the particular processing activity in accordance with Article 3) or is an 
international organization.” In the present case UTI is geographically located in the United States and 
imports the personal data of Uber drivers from the EEA to a third country within the meaning of the GDPR. 


4.4.3 Conclusion 


97. The AP concludes that the provisions regarding data transfer in Chapter V GDPR are complementary 
to Article 3 GDPR. Transfers of personal data between joint controllers covered by Article 3 
are not excluded from the GDPR's international transfer provisions. This prevents the protection of 
personal data provided by EU law from being undermined or circumvented. 


98. Secondly, it follows sufficiently clearly from Article 44 GDPR (and recital 101 GDPR) that traffic from 
involves a transfer of personal data from the Union to an entity in a third country. The AP determines that in 
this case there is a transfer within the meaning of Article 44 GDPR, because personal data from the EEA 
to the United States (a third country). The AP further notes that all criteria for transfer as established in the 
Guidelines have also been met. The processing of personal data as described in situations 1 and 2 
are therefore regarded as transfers from the EEA to the United States.71 


99. The transfer by UBV to UTI means that the exporter, UBV, must comply with the obligations under the GDPR, 
including Chapter V GDPR. Finally, UBV must guarantee that it is compliant with the GDPR 
guaranteed level of protection of natural persons is not undermined. More specifically, UBV must 
assess whether the transfer tool it intends to use is effective in the light of the law and legal practice in 
force in the third country. 72 


70 In other words, where data is not provided by transmission or otherwise made available to another controller or processor, including where that processing takes place 
outside the EU, see EDPB Guidelines 05/2021 on the interaction between the application of Article 3 and the provisions on international transfers in accordance with Chapter 
V of the GDPR, paragraph 17. 


” With the exception of the case where Uber sends personal data from the US to the EEA when responding to requests 

from data subjects about the exercise of their GDPR rights. 

” EDPB Guidelines 05/2021 on the interaction between the application of Article 3 and the provisions on international transfers 
in accordance with Chapter V of the GDPR, p. 15, marginal 25-27. 
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4.5 Did Uber have a pass-through instrument? 
4.5.1 Legal framework 


100. Article 45(1) GDPR provides: “A transfer of personal data to a third country or an international 
organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors 
within that third country, or the international organization in question ensures an adequate level of protection. Such transfer 


does not require specific consent. 


101. On July 10, 2023, the European Commission took the Adequacy Decision. This 
Adequacy decision “means that transfers from controllers and processors in the Union to certified organizations in the United 
States can take place without further consent. This is without prejudice to the direct application of Regulation (EU) 2016/679 to 


such entities, provided that the conditions regarding the territorial scope laid down in Article 3 of that Regulation are met.”73 


102. Article 46(1) GDPR states: “/n the absence of a decision pursuant to Article 45(3), a transfer of personal data to a third 
country or an international organization by a controller or a processor may only take place provided that they provide 
appropriate safeguards and data subjects have enforceable rights and effective legal remedies.” 

103. Article 46(2) GDPR provides that “the appropriate safeguards referred to in paragraph 1 may be provided by the following 


instruments, without requiring specific authorization from a supervisory authority: 
(a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding 
corporate rules in accordance with Article 47; (c) standard data 
protection clauses adopted by the Commission in accordance with Article 93(2). 
investigation procedure has been 
established; (d) standard data protection clauses adopted by a supervisory authority and approved by the 
Commission in accordance with the examination procedure referred to in Article 93(2); 
(e) a code of conduct adopted in accordance with Article 40, together with binding and enforceable commitments from the 


controller or processor in the third country to apply appropriate safeguards, including for the rights of data subjects; or 


(f) a certification mechanism approved in accordance with Article 42, together with binding and enforceable commitments by the controller 


or processor in the third country to implement appropriate safeguards, including as regards the rights of data subjects." 


Article 46(3) GDPR provides that “subject to the consent of the competent supervisory authority, the appropriate safeguards referred 
to in paragraph 1 may also be provided by, in particular: 
(a) contractual clauses between the controller or processor and the controller, processor or recipient of the personal data in the 


third country or international organization; or[...] 


73 Decision of the European Commission of 10 July 2023 on ‘the adequate level of protection of personal data under the EU-US Data 
Privacy Framework’ (C2023/4745 final), marginal 8, p. 3. 
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4.5.2 Assessment 


104. Article 44 GDPR sets out the general principle regarding transfers, noting that the provisions 
of Chapter V should be applied so that the level of protection guaranteed by GDPR is 
not undermined if the personal data is transferred to a third country.74 Chapter V is 
furthermore intended to ensure that the standard of protection resulting from EU law is not 
circumvented through transfers of personal data to a third country for the purpose of 
processing there.75 


105. In the absence of an adequacy decision within the meaning of Article 45 GDPR, transfers of personal 
data to the United States between July 16, 2020 and July 10, 2023 could only take place if 
appropriate safeguards were provided and data subjects had enforceable rights and effective 
legal remedies. The AP considers that these appropriate guarantees offered by the controller 
should guarantee that the rights of the persons whose data are transferred enjoy a level of 
protection that is essentially equal to the level resulting from the GDPR, viewed in the light of the 
Charter. 


106. The EDPB states in its guidelines that “when invoking one of the rights set out in Article 46 GDPR 
mentioned transfer tools, it should be assessed whether this ensures a level of protection of the 
data transferred that is essentially equivalent to that guaranteed in the EU, or whether 
additional measures need to be taken and when a controller or a processor transfers data to an 
importer in a third country whose processing falls under Article 3(2) GDPR, the protection afforded 
by the GDPR may also be undermined by the legal framework applicable to the importer.” 76 
The AP notes that where the GDPR is directly applicable on the basis of Article 3(1) 

GDPR, the same reasoning can be followed when one of the joint controllers is established outside 
the Union. The AP further notes that when personal data is processed on EEA territory, it is 
protected not only by the provisions of the GDPR, but also by other EU and Member State 
legislation. When personal data is transferred and/or made accessible to entities outside the EEA 
territory, the overarching legal framework provided within the Union no longer applies. There is 

a mechanism for this in Chapter V GDPR 

set up to ensure that the level of protection of natural persons guaranteed by the GDPR is not 
undermined. The data transfer mechanisms provide additional 

provisions to ensure the necessary safeguards to prevent the protection provided by the 

GDPR and the broader legal framework of the EEA is undermined by foreign law, even where 
the GDPR is directly applicable based on Article 3 GDPR. 


7 Recital 6 of the GDPR states that a ‘high degree’ of protection of personal data both within the Union and in the event of a transfer 
outside the Union must be guaranteed. See also recital 101 of the GDPR. 
75 C-362/14, , BChhéitdsC:2015:650, paragraph 73 and Conclusion 1/15, EU- Canada PNR Agreement, ECLI:EU:C:2017:592, marginal 214. 
76 EDPB Guidelines 5/2021 on the interaction between the application of Article 3 and the provisions on international transfers under Chapter V of the GDPR, p. 6, marginal 
3 and 4. See also EDPB Recommendations 01/2020 on measures to complement transfer tools to ensure compliance with the level of protection of personal data in the Union, EDPB 
Recommendations 02/2020 on the European essential guarantees for surveillance measures and C -311/18, ECLI:EU:C:2020:559. 
Schrems_ II 
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The EDPB Guidelines further state that “this means that the exporter must comply with the conditions of Chapter V and, when 
transferring, use one of the tools intended to protect personal data after it has been transferred to a third country or an international 


organization.” 


108. The AP has determined that from August 6, 2021 to November 27, 2023, UBV did not have a legal 


had a transfer mechanism in place for the transfer of personal data from the EEA to the United States. In response to the AP's 
questions, Uber explains that “UBV and UTI previously entered into the controller-to-controller standard contractual clauses 

of the European Commission (‘SCCs') in their joint controllership agreement.” Uber adds that “from the updated standard 
contractual clauses (‘SCC’) by the European Commission('EC’), it follows that standard contract clauses do not apply to a 

controller whose processing is subject to the GDPR. In light of this, Uber revisits its joint controller agreement to delete the SCCs.”77 
For this reason, Uber has removed the standard contractual clauses for the transfer of personal data to third countries from its 


Data Sharing Agreement as of August 6, 2021. 


109. The European Commission (EC) has stated in its FAQ that the relevant new 


standard contractual clauses (SCCs) cannot be used in a situation where processing by controllers falls directly under the 
GDPR.78 Immediately afterwards, the EC notes that the “European Commission is in the process of developing an additional set 
of SCCs for this scenario, which will take into account the requirements that already apply directly to those controllers and 
processors under the GDPR.” The AP is of the opinion that Uber could in no way have deduced from these statements that SCCs 
or other transmission tools do not have to be used if the processing (according to Uber's claim) falls under Article 3 of the 

GDPR. The EC's statement therefore does not exempt Uber from complying with the GDPR. Uber was and is currently obliged 


to use a transmission tool in accordance with Chapter V GDPR.79 


110. Given its latest privacy statement, Uber should also have known that a transfer mechanism was necessary 


was. Uber heeft hierin verklaard zich aan de EU-US DPF te houden en zegt bovendien dat: “In the event that the EU-U.S. 


DPF or the Swiss-U.S. DPF are invalidated, Uber will transfer data that is subject to these certifications in reliance on 
the other data transfer mechanisms described above’. 


4.5.3 Conclusion 


111. The AP concludes that UBV (as exporter) did not have a lawful transfer mechanism in place for the transfer of personal data of drivers 


from the EEA to the United States from August 6, 2021 to November 27, 2023. The AP has not received a request from Uber for 


other suitable transfer 


77 File document 17, Uber's response to a request for information, dated August 9, 2021, p. 6. 

” EC, THE NEW STANDARD CONTRACTUAL CLAUSES — QUESTIONS AND ANSWERS, question 24, p. 13, available on: 
https://commission.europa.eu/system/files/2022-05/questions_answers_on_sccs_en.pdf 

79 The AP notes that, depending on the situation in a particular third country, Article 46(2)(c) GDPR may require the controller to take 
additional measures to ensure the level of data protection within the Union, see C-311/ 18, 

Schrems Il, ECLI:EU:C:2020:559, ro 133. 
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received instruments under Article 46 GDPR.80 The AP therefore determines that Uber was in violation of Article 
44 GDPR during the aforementioned period. 


4.6 Can Uber successfully invoke an exception from Article 49 GDPR? 
4.6.1 Legal framework 


112. Article 7 of the Charter states “Everyone has the right to respect for his private and family life, his home 
and communications.” Article 8(1) of the Charter states “Everyone has the right to the protection of personal 
data concerning him or her.” The processing of personal data, as defined in Article 4(2) of the GDPR, of a data 
subject affects the fundamental right to respect for private life guaranteed in Article 7 of the Charter. 
Furthermore, such processing falls within the scope of Article 8 of the Charter.81 The AP notes that the rights 
enshrined in Articles 7 and 8 of the Charter are not absolute rights and must be considered in relation to their 
function in society. 82 In addition to the above, Article 8(2) of the Charter states that personal data “shall 
be processed fairly, for specified purposes and with the consent of the data subject or on another legitimate basis 
provided for by law.” 


113. With regard to the scope and interpretation of the rights enshrined in the Charter and 
principles, Article 52(1) of the Charter states that “any limitation on the exercise of the rights and freedoms 
recognized in this Charter shall be provided for by law and shall respect the essence of those rights and 
freedoms. Subject to the principle of proportionality, only restrictions shall be imposed where they are 
necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the 
rights and freedoms of others.” 83 


114. The derogations for specific situations set out in Article 49 GDPR state that “in the absence of an adequacy decision 
in accordance with Article 45(3) or appropriate safeguards in accordance with Article 46, including binding 
corporate rules, a transfer or series of transfers of personal data will only be transferred to a third country or an 
international organization if one of the following conditions is met: [...] 


b) the transfer is necessary for the performance of a contract between the data subject and the 
controller or for the implementation of pre-contractual measures taken at the request of the data subject; 


80 Uber had voluntarily included and implemented the SCCs in their DSA. These were removed by Uber on its own initiative after the new EC SCCs became available. 


81 See for example C-92/09 and C-93/09 , Markus Schecke and Eifert, EU:C:2010:662, ro 49 en 52; C-594/12, Digital Rights Ireland , EU:C:2014:238, ro 29 

and Conclusion 1/15,EU- Canada PNR Agreement , ECLI:EU:C:2017:592, marginal 122-123. 

82 See for example C-92/09 and C-93/091/15, Markus Schecke and Eifert, EU:C:2010:662, ro 48; C-291/12, Schwartz EU:C: 2013:670, paragraph 33; and Conclusion 
EU- Canada PNR Agreement , ECLI:EU:C:2017:592, marginal 136. 


83 Restrictions on the exercise of the rights enshrined in the Charter must be laid down by law. This means that the legal basis permitting the interference must itself 
determine the scope of the restriction on the exercise of the right in question, see in this regard Conclusion 1/15, 
EU- Canada PNR Agreement , ECLI:EU:C:2017:592, marginal 139. 
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(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interests 
of the data subject between the controller and another natural or legal person; [...] 


Where a transfer could not be based on a provision of Articles 45 or 46, including the provisions on binding 
corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of 
this paragraph apply, the transfer may to a third country or international organization shall only 

take place if the transfer is not repetitive, concerns a limited number of data subjects, is necessary for 
compelling legitimate interests of the controller which are not overridden by the interests or rights and 
freedoms of the data subject, and the controller is in all circumstances in connection with the 

data transfer and, based on that assessment, has provided appropriate safeguards for the protection 

of personal data. The controller shall inform the supervisory authority of the transfer. In addition to the 
information referred to in Articles 13 and 14, the controller shall inform the data subject about the transfer 
and the compelling legitimate interests pursued by him or her.” 


on 


115. Recital 111 of the GDPR states: “Transfers should be possible in certain cases where the data subject has 
expressly consented, where the transfer is incidental and necessary in the context of a contract or in connection 
with legal proceedings, whether judicial or concerns an administrative or out-of-court procedure, including 
procedures before regulatory authorities. [...]” 


116. The EPDB Guidelines 2/2018 on Derogations under Article 49 of Regulation 2016/679, adopted on 25 May 
2018, states: “The EDPB notes that in Recital 111 the term ‘incidental’ is used and in Article 49, paragraph 
1, second subparagraph, in the derogation based on ‘compelling legitimate interests' the term 'non-repetitive' 
is used. These terms indicate that such transfers occur more than once - but not regularly - 
can happen and should not be part of the general approach, but for example, under random, unknown 
circumstances and at irregular intervals. For example, a data transfer that takes place regularly within a 
stable relationship between the data exporter and a particular data importer can generally be 
considered systematic and repetitive and are therefore not considered incidental and non-repetitive_[...]” 


4.6.2 Assessment 


117. The AP notes that the processing (including transfers) that takes place as described in situations 1 and 2 with 
regard to the personal data concerning Uber drivers falls within the scope of Articles 7 and 8 of the Charter. 
These provisions guarantee the fundamental rights of drivers. However, the AP notes that since 
these are not absolute rights, derogations that limit these rights are only permissible if they are in 
accordance with Article 52 of the Charter. According to Article 52 of the Charter, these rights may 
only be derogated from if: 
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these are provided for by law,84 respect the essence of those rights and freedoms,85 and observe the principle of 


proportionality.86 


118. Article 49 GDPR provides that in the absence of an adequacy decision or appropriate safeguards, a transfer or series of transfers of 
personal data to a third country may only take place provided that the conditions of Article 49 GDPR are met. The AP notes that the 
deviations in this article must be interpreted restrictively and may only be used if strictly necessary.87 The deviations are intended for 
situations in which there is no adequate protection in the country to which the data will be transferred, and where “the risks for 
those involved are relatively small” or because “other interests” weigh more heavily. For example, public interests or the interests 
of the data subject, which may outweigh the right to privacy of the (other) data subject.88 This principle is underlined in various 
provisions of Article 49 GDPR, which sets limitations on its use89 and the principle of derogations from fundamental rights under 


EU law.90 The restrictive use of this article is also supported by the wording of 


84 Restrictions on the exercise of a right enshrined in the Charter must be laid down by law. Where primary and secondary EU legislation is concerned, this should be 
interpreted broadly. Furthermore, the law must be in force and legal. The legality requirement follows from Article 277 TFEU. The law must also be easily accessible and formulated 
with sufficient precision, see ECtHR, ), CE: ECtHR:1979: 0426JUD000653874, paragraph 49. The element of foreseeability is imBortday Wireanss¥ddlfgNecedsibility and sufficient 
accuracy, see ECtHR in this regard, 
Open Door and Dublin Well Woman V Ireland, CE: ECtHR: 1992:1029JUD001423488, legal grounds 56-60. 
85 The essence of a right as set out in Article 51(1) of the Charter is defined as its absolute inalienable core, see for example Joined Cases C-584/10 P, C-593/10 P & C-595/10 
P, , EU:C:2013:518, paragraph 134. According to the Opinion of AG Saugmandscaard Ge, the requirement laid down in Arie 52(1) of the Charter means that any restriction on 
the exercise of the rights and freedoms recognized in that instrument respects the essence of those rights and freedoms, that a measure that infringes that essence cannot be 
justified. That measure is then deemed to be contrary to the Charter and must be declared null and void as an act of the Union, without the need to examine the condition of compliance 


with the principle of proportionality, see the AG's Opinion in C- 401/19 


. Republic of Poland v European Parliament —, ECLI:EU:C:2021:613, marginal 98-99. Furthermore, Ll Of 
‘essential content’ of a fundamental right constitutes an ‘inviolable core’ that must remain free from interference. Therefore, certain exceptionally serious violations of fundamental 
rights are not justified by any purpose, however legitimate. In other words, the end does not justify all means. 
See also Conclusion AG in C31 1/18, Schrems Il ECLI:EU:C:2020:559, marginal 272. This view is reiterated in EU:C:2022:65. More specifically 


Opinion of Advocate General Guivanni Pitruzzella in C-817/19, Human Rights League Furthermore, ¥ Council of Ministers, 
itis stated: " itis clear from the wording of Article 52,1, of the Schrems | judgment, that the assessment of wirtpartinnaliyoY It Charter as fromthe case law of the Court, —Particularand in 
assessment of the contested measure must be made. In other words, itis an there is an infringement of the essential content of the fundamental right in question, prior to in the 


by independent test.” 
Ministers delivered on January 27, 2022 (the Conclusion has been translated from French because there is no English version available). 

86 See Article 52(1) of the Charter and the case law of the CJEU, see e.g. C5/88, Wachauf, EU:C:1989:321, paragraph 18. The principle of proportionality is a general principle in 
European law for which a four-part test is applied: 1) does the measure pursue a legitimate aim, 2) is the measure suitable for achieving that aim, 3) is it the least restrictive 


available measure that can achieve the aim as well as with the chosen measure, and 4) have the conflicting interests been properly balanced against each other. 


” The CJEU underlined that the protection of the fundamental right to respect for private life at EU level requires that derogations and 

restrictions on the protection of personal data only apply to the extent strictly necessary, see judgment C 73/07, , ECLI:EU:C:2010:662, paragraph 77; Satakunta 
Markkinaporssi and Satamedia , ECLI:EU:C:2008:727, ro 56; C 92/09 en C 93/09, Volker and Markus Schecke and Eifert 

C-293/12 to C-594/12; Digital Rights Ireland , EU:C:2014:238, ro 52, C 362/14, Schrems, ECLI:EU:C:2015:650, ro 92, C 203/15, Tele2 Sweden AB 
ECLI:EU:C:2016:970, ro 96. 

88 See for example C-362/14, 89 Schrems_, ECLI:EU:C:2015:650, ro 92 in C-293/12 in C-594/12, Digital Rights Ireland — , ECLI:EU:C:2014:238, ro 52. 
Article 49(2-4) GDPR. 

90 C-362/14, Schrems , ECLI:EU:C:2015:650, ro 92 in C-293/12 in C-594/12, Digital Rights Ireland —, ECLI:EU:C:2014:238, ro 52. 
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Article 49 GDPR title stating that the derogations may only be used for specific situations.91 


119. Furthermore, the AP notes that the use of Article 49 GDPR does not provide additional 
protection or guarantees for transfers of personal data that could lead to an increased risk to the 
rights and freedoms of the data subjects concerned. Furthermore, the AP notes that when the 
transfer takes place on the basis of a derogation, the relevant provisions of the GDPR still apply.92 
Finally, Article 49 GDPR must be read in the light of the Charter.93 


120. Uber has indicated that if the AP concludes that processing takes place that must be regarded 
as transfers within the meaning of Chapter V GDPR, Uber could base the processing 
described for situation 1 on Article 49(1)(b) ) GDPR.94 According to Uber, the processing 
described for situation 2 could be based on Article 49(1)(c) GDPR.95 Below, the AP 
assesses Uber's appeal on these two grounds for exception in the respective order. 


The transfers are not incidental 

121. Based on Recital 111 of the GDPR, this derogation may only be used if the transfer is incidental. As stated in the EDPB 
Guidelines, this excludes transfers that “take place regularly within a stable relationship” and cannot apply “to many 
transfers within the business relationship”.96 Any other interpretation would be inconsistent with EU law requiring that a 
derogation from a fundamental right is not interpreted in such a way that it contradicts its exceptional nature.97 


122. The AP notes that the contractual necessity derogation of Article 49(1)(b) GDPR cannot be invoked 
to justify transfer activities as described for situation 1. 
This is because the transfers of data of more than [confidential] Uber drivers between UBV 
and UTI are considered systematic, repetitive and continuous. In that respect, the AP notes, 
in accordance with the EDPB Guidelines, that in light of recital 111, only Article 49(1)(b), (c) and (e) 


91 EDPB Guidelines 2/2018 on derogations under Article 49 of Regulation 2016/679, adopted on 25 May 2018, p. 4. 


92 Article 44 GDPR states that transfers of personal data can only take place under Chapter V. “without prejudice to the other provisions of this Regulation” 


93 C-617/10, Akerberg Fransson —_, ECLI:EU:C:2013:280, ro 21. 


ot See ‘View of Uber research report on intention and enforcement to of June 9, 2023, r. 236, p. 58-59 and p. 71-73 (section 7.3.4.). 
22 See ‘View of Uber research report on intention and enforcement' to of June 9, 2023, r. 236, p. 58-59 and p. 67-71 (section 7.3.3). 
96 EDPB Guidelines 2/2018 on derogations under Article 49 of Regulation 2016/679, p. 11: Data transfers that are regular are therefore 


take place in a stable relationship are considered systematic, many data transfers withina '" repetitive i" no longer ‘incidental’ in nature. Consequently 


business relationship cannot be based on Article paragraph (b) in this case. 49, 1, on 
97 C 623/17, Privacy International V Secretary of State for Foreign and Commonwealth Affairs and Others “provides an —_, ECLI:EU:C:2020:790, paragraph 69. Furthermore, when 
a provision exception to the general rule, it must be interpreted strictly according to settled case law. That provision should 


therefore not allow the exception to become the mandatory principle ... the rule, because in that case the latter provision would largely lose its content.” 
see C-140/20, Dwyer Y Commission for An Garda SiochanaTele2 | ECLI:EU:C:2022:258, paragraph 40. See e.g. C-203/15 and 
C-698/15, Sverige AB, EU:C:2016:970, ro 89, C-511/18, C-512/18 en C-520/18, TheQuadrature of  Netand Others —, EU:C:2020:791, ro 111. 
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GDPR can be invoked to justify incidental transfers.98 This view is supported by the general view within Union law, where 
it is established practice to interpret derogations restrictively, and that any limitations or derogations from Articles 7 and 8 of 
the Charter only apply if are admissible to the extent that this is considered strictly necessary.99 The CJEU has taken 

this position many times, stating that a situation in which the exception becomes the rule must be avoided.100 


123. Uber has indicated that the AP's explanation is incorrect and incompatible with Article 49 GDPR. Uber 


substantiates its statements by appealing to the non-binding nature of the considerations of 

the GDPR. Uber states that the 'incidental' criterion is not laid down in Article 49 GDPR. According to Uber, the wording of 
Article 49(1) GDPR, which provides that the derogations can be used in specific situations for a 'transfer' or 'series of 
transfers’, does not imply that the provision can be interpreted as meaning that ‘incidental’ part is one of the criteria that 


must be met. 


124. The AP agrees with Uber that the recital does not have binding legal force and that it cannot be relied upon as a basis for deviating 


from actual legal provisions or in the case in which provisions are interpreted in such a way that they are clearly conflict 
with the wording of the provision. However, the AP notes that the considerations in the GDPR "can explain the content of the 
provisions of that law" and that it "includes important elements for interpretation, which can clarify the intentions of the 
person who drafted the law." 101 And more importantly, the CUEU supports this interpretation in its case law, where it 
explained limits to the scope of the derogation in the light of the considerations. More specifically, the CJEU considers 

that, in order to interpret a provision of EU law, it is necessary to consider not only the wording but also “the context in 
which it takes place and the objective pursued by the rules of which it forms part” 102 that “the scope of the derogation ... 
must be determined in the light of the interpretation thus given by the EU legislator.”103 The CJEU also ruled that an 
interpretation of the derogation without taking into account the considerations expressed by the EU legislator would in 
undermine the purpose of the legislation.104 The AP therefore notes that Recital 111 of the GDPR provides the 

necessary clarification in the interpretation of Article 49(1)(b) GDPR in accordance with the objectives pursued by the EU 
legislator and furthermore notes that the recital is not inconsistent with the wording of the aforementioned article. Any other 
interpretation of this article would ignore the intention of the legislator and be contrary to the approach used by the 
CJEU.105 The AP therefore comes to the conclusion 


98 EDPB Guidelines 2/2018 on derogations under Article 49 of Regulation 2016/679. 


99C 623/17, Briyacy International V Secretary of State for Foreign and Commonwealth Affairs and Others , ECLI:EU:C:2020:790, ro 81; C-203/15 en 

C-698/15, Tele2 Sweden AB, EU:C:2016:970; C-511/18, C-512/18 and C-520/18, The Quadrature of Net and Others, EU:C:2020:791, ro 130; C-311/18, Data 
Protection Commissioner v Facebook Ireland — Ltd, ECLI:EU:C:2020:559, paragraph 176; Joined cases C-293/12 and C-594/12, , Digital Rights Ireland Ltd v 
Minister for | Communications ECLI:EU:C:2014:238, paragraph 52; C-362/14, Sé@emBU:C:2015:650, paragraph 96. 

100 See, for example, C-140/20, Dwyer V Commission for An An Garda Siochana ECLI:EU:C:2022:258, ro 40; C-817/19, HumanRights League, ECLI:EU:C:2022:491, 
paragraph 114;C-401/19, Renublic of Poland v European Parliament and the Council ofthe = European Union _, EU:C:2022:297, ro 64 en 74. 

101 C-418/18, P Puppinck and others v Commission of the European Communities » ECLI:EU:C:2019:1113, ro 75. 

102 C-528/18, peasant Confederation and Others , EU:C:2018:583, ro 42. 


103 Ibid, r.0. 44-46. 
104 Ibid, r.o. 51-53. 


105 Ibid, see also e.g. C424/10 and C425/10, Ziolkowski v Land Berlin , ECLI:EU:C:2011:866, ro 42-43. 
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conclusion that one can only rely on Article 49(1)(b) GDPR to justify ‘incidental’ transfers. 


125. With regard to the processing operations described for situation 1, UBV cannot rely on the 
derogation from Article 49(1)(b) GDPR in the present case to justify the transfer to the United 
States. The AP qualifies this transfer as systematic, repetitive and continuous in a stable, long-term 
business relationship between UBV and UTI. 


126. With regard to the processing operations in situation 2, Uber indicates that these can be based 
on Article 49(1)(c) GDPR. This derogation allows a transfer or a series of transfers to take 
place where “the transfer is necessary for the conclusion or performance of a contract 
concluded in the interests of the data subject between the controller and another natural or 
legal person.” The condition is that the transfer must be necessary and incidental, this 
provision also applies. In the present case, UBV cannot use the deviation as a basis for transfer, 
because this transfer is also considered to be systematic and repetitive in nature within a stable, 
ongoing business relationship between UBV and UTI. Moreover, Uber does not have a legal 
obligation under the agreement, but under GDPR, to facilitate the rights of data subjects. 


The transfers are not necessary 
127. In addition to the fact that there is no incidental transfer, Uber cannot successfully rely on 


Article 49(1)(b) and (c) GDPR, because the transfer is not necessary for the execution 
of an agreement between Uber and the data subject respectively between Uber and a third party 
(an agreement in the interest of the data subject). 


128. In this context, the AP recalls that the requirement of necessity as an autonomous Union concept requires that the processing 
must be objectively indispensable for the conclusion of the contract.106 It is irrelevant whether the processing is useful for 
the contract or is mentioned therein. 107 On the other hand, the controller must demonstrate that the main purpose 
of the agreement could not be achieved without that processing.108 The connection of necessity must, as Uber itself 
rightly indicates, be close and substantial in relation to the purpose of the agreement. 


129. An example of necessity is where a data transfer takes place from a travel agent to a hotel in a third country in order to 
establish a contract between the customer and the travel agent. In this case, the link between the transfer and the 


purpose is close and substantial, and there is no realistic alternative available (hotels are often located in third countries). 


An example of a lack of necessity is when a group of companies is for business purposes 


106 Judgment of the CJEU of 4 July 2023 Meta (ECLI:EU:C:2023:537), ro. 98. 
107 Judgment of the CJEU of 4 July 2023 Meta (ECLI:EU:C:2023:537), para. 99 and conclusion AG, paragraph. 54. 
108 Judgment of the CJEU of 4 July 2023 Meta (ECLI:EU:C:2023:537), ro. 98. 
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has centralized payment functions and human resources policy for all its staff in a third country, as there 
is no objective link between the performance of the contract and the transfer.109 


Uber has explained the necessity in the present case by firstly pointing out that the transfer takes 

place within the framework of the agreements (Data Sharing Agreement) between UBV in the EU and UTI 
in the US. In the opinion of the AP, this does not make the transfer necessary, precisely because the 
Court has ruled that the mere existence of the agreement itself (the ‘mentioning') cannot constitute a 
necessity. According to the Court, for the assumption of necessity, 'there may be no useful, less 

intrusive alternatives' and the controller must be able to demonstrate this.110 


131. Secondly, Uber believes that centralized data processing in the US is crucial for being able to offer Uber 


132. 


services and for guaranteeing the right of drivers in the EU to the protection of their personal data: 

‘only by processing personal data in a centralized manner can Uber apply its comprehensive technical and 
organizational measures worldwide and provide drivers with the highest level of protection’. Uber has not 
been able to make it sufficiently clear to the AP 

why the transfer of personal data to the USA is crucial for the provision of the service and a high level of 
protection. Firstly, as stated in paragraph 128, there is a lack of necessity if a group of companies 
centralizes personal data in a third country for business purposes. In this case, the personal data could 
also have been processed on a server in the EU 

if a third country does not provide an adequate level of protection. Secondly, it seems, in almost 

every conceivable case, that a transfer to a country without an adequate level of protection actually 
undermines the level of protection offered by the GDPR. 


Perhaps unnecessarily, although Uber has indicated in its written opinion that the transfer is crucial for 
both offering the services and providing a higher degree of data protection, Uber's explanation 

during the opinion hearing suggests that other motives were at play. Uber has stated that the choice for 
centralized processing in the US was made because the service can be provided faster and 

more efficiently in this way.111 

This means that centralized processing in the US appears to be motivated for reasons that are much 
more similar to its efficiency.112 


133. In summary, the AP is of the opinion that Uber has not demonstrated why the transfer is objectively necessary for the 


implementation of the agreement and that there are no useful, less intrusive alternatives available. An appeal to 
Article 49(1)(b) and (c) GDPR will therefore not succeed for this reason either. 


109 EDPB Guidelines 2/2018 on derogations under Article 49 of Regulation 2016/679, p. 10. 
110 Judgment of the CJEU of 4 July 2023 (H@étlaEU:C:2023:537), para. 99. 
111 See the minutes of the opinion hearing held on July 5, 2023, p. 6. 


112 Cf. Judgment of the CUEU of 4 July 2023 Meta (ECLI:EU:C:2023:537), para. 99: the Court explicitly states that being 'useful' is not a necessity 
forms. 
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4.6.3 Conclusion 


134. The AP comes to the conclusion that Uber cannot successfully rely on the derogations (exceptions) for specific 
situations in relation to international transfers as referred to in Article 49(1)(1)(a) for the period from 
August 6, 2021 to November 27, 2023. b and c GDPR. 


4.7 Final conclusion 


135. The AP is of the opinion that personal data of Uber drivers from the EEA are processed by Uber. In addition, there 
is a transfer of personal data as referred to in the GDPR. In the absence of an adequacy decision, within the 
meaning of Article 45 GDPR, transfers of personal data to the United States between July 16, 2020 and 
July 10, 2023 could only take place if appropriate safeguards were provided and data subjects had 
enforceable rights and effective legal remedies. The AP has determined that UBV did not provide the 
appropriate safeguards described in Article 46(2) GDPR at least between August 6, 2021 and November 27, 
2023. Furthermore, UBV (given the unnecessary and structural nature of the processing) cannot successfully 
rely on the exceptions described in Article 49(1)(b) and (c) GDPR. The AP therefore determines that Uber 
was in violation of Article 44 GDPR during the aforementioned period. 


5. The fine 


5.1 Power to impose fines and Uber's view 


136. Uber has put forward several grounds relating to the lack of 
justification for the AP's imposition of an administrative fine or corrective measure. Uber states firstly that the 
investigation report was inadequately and carelessly drawn up. Secondly, according to Uber, the lex-certa 
principle and the fact that there is a prospect of concrete legalization (by the EU-US DPF) preclude enforcement 
by the AP. Thirdly, according to Uber, with reference to CUEU case C-807/21, an administrative fine can only 
be imposed if there is intent or negligence and a corrective measure is not appropriate. Finally, Uber states 
that a measure may have disproportionate consequences and that Uber should therefore be given the 
opportunity to submit a separate opinion in order to have more clarity about the possible sanction decision. 


137. The AP does not follow Uber's argument. The AP is of the opinion that based on the facts and the 
assessments based on them, it has been established beyond reasonable doubt that personal data is 
being transferred and that the violation was committed by Uber. Where necessary, the AP has the facts and assessments 
supplemented in response to Uber's view. With regard to Uber's reliance on the lex certa principle, which is 
included in Article 49 of the Charter, the AP considers the following. As the Administrative Jurisdiction 
Division of the Council of State has considered several times,113 


113 See, among others, the judgments of July 9, 2014, ECLI:NL:RVS:2014:2493, January 16, 2019, ECLI:NL:RVS:2019:109. 
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the lex certa principle requires the legislator to describe the prohibited conduct as clearly as possible, with a view 

to legal certainty. It should not be forgotten that the legislator sometimes describes prohibited conduct with a 

certain vagueness, consisting of the use of general terms, in order to prevent conduct that is punishable from falling 
outside the scope of that description. This vagueness may be unavoidable, because it is not always possible to predict 
how the interests to be protected will be violated in the future and because, if this is foreseeable, the descriptions of 
prohibited conduct would otherwise become too refined, resulting in a lack of clarity. disappears and thus the importance 
of the general clarity of legislation is damaged. In other words, the lex certa principle requires the legislator to describe 
the prohibited conduct as clearly as possible, with a view to legal certainty.114 


138. The AP comes to the conclusion that this is the case in this case. According to the AP, the provisions against which it tested 


are sufficiently clear. Based on Chapter V of the GDPR, the considerations in the GDPR, the case law on transfers of 
the CJEU and also previous decisions of other European privacy supervisors, it was foreseeable for Uber that 

before transferring personal data to the United States (as a third country) a transmission instrument is necessary. The 
fact that Uber was certified under the new adequacy decision on November 27, 2023 does not affect the AP's authority 
to take enforcement action for the period of two years and three months during which Uber did not have a transfer 
instrument. Based on the facts and the assessments based on them, it is established beyond reasonable doubt 

that the violation was committed by Uber. 


139. The AP has, on the basis of Article 58, second paragraph, opening words and under i, in conjunction with Article 83 of the 


GDPR and read in conjunction with Article 14, third paragraph, of the GDPR Implementation Act, the power to impose 
an administrative fine. In this context, the CJEU firstly specified that the imposition of such a fine requires that the 
infringement was culpably committed by the offender. This includes intentional or negligent actions. A controller has 
committed an infringement intentionally or negligently if he could not have been unaware that his conduct 

constituted an infringement, regardless of whether he was aware that he was infringing the provisions of the GDPR, as 
follows from the case law of the CJUEU.115 


140. The AP has determined that Uber has committed a violation of Article 44 GDPR. Based on the GDPR and the case law of the 


CJEU, Uber could have known that a transfer instrument is necessary to transfer personal data to the United States. Due 
to this violation and its seriousness, the AP sees reason to use its authority to impose an administrative fine. 


141. With regard to Uber's position that it was wrongly not given the opportunity to make a 


to express its views on the amount of the fine, the seriousness and extent of the observed violation and the ultimate 
substantiation, the AP finally considers the following. Neither Article 4:8 nor Article 5:50 of the General Administrative 
Law Act (read in conjunction with Articles 5:48 and 5:53 of the General Administrative Law Act) obliges the AP to 


114Judgment of October 26, 2022, ECLI:NL:RVS:2022:3077. See also ECHR, November 11, 1996, no. 17862/91, ECLI:CE:ECHR:1996:1115JUD001786291. 
"S CJEU, case C-807/21, 5 December 2023, ECLI:EU:C:2023:950, paragraphs 75 and 76. 
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to comment on these aspects when intending to impose an administrative fine.116 An intention to impose a 
fine and the investigation report based on it are sufficient on the basis of which an opinion can be requested. 
The AP reminds Uber of the objection phase, where Uber can still object (and must be heard) against 

the amount of the fine and its substantiation. The AP has also taken into account the views that were 
submitted in its assessment. 

What is stated in the opinion may contribute to the decision of the AP to impose an administrative fine, 

after which the AP determines the amount of the fine on the basis of all relevant facts and circumstances 
known to it at that time. For this reason, the AP has not commented on the aspects mentioned by 

Uber in its intention to enforce. 


5.2 Systematic determination of the fine amount 


142. The EDPB agreed to the final text of the 
Guidelines 04/2022 on the calculation of administrative fines under the GDPR (hereinafter: the Guidelines). 
The AP will apply these Guidelines to this case.117 The AP's (national) policy rules on determining the 
amount of administrative fines have, to the extent currently relevant, been withdrawn.118 


143. The Guidelines describe a methodology in which: 


1. Identify the processing activities in the case concerned and evaluate the application of Article 


83(3) GDPR; 

2. Determine the starting amount for further calculation; 

3. whether mitigating or aggravating circumstances arise that require an adjustment of the amount 
from step 2; 

4. what maximum amounts apply to the violations and whether any increases from the previous step 
do not exceed this amount; 

5. whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence 


and proportionality, and is adjusted accordingly if necessary. 
144. These steps are followed successively below. 
5.3 Calculation of fine amount 
5.3.1 Step 1: Determining actions and violations 


145. To determine the starting amount of the fine, as described in the Guidelines, it must first be determined 
whether there is one or more sanctionable conduct. 


116 CBb 7 May 2019, ECLI:NL:CBB:2019:177 
117 See a g i i 
118 See https://www. ssrietneiecaneseneeas, ildadsitie ptatbocisholsileveraake agen -autoriteit- peace exis 2023 
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146. The AP has found that there is a deficiency in one of the transmission instruments such as 
laid down in Chapter V GDPR. Uber has thus violated the obligation under Article 44 of the GDPR to use a transfer tool for 
international transfers. In this case, the calculation of the starting amount relates to two processing activities that fall within the 


context of one sanctionable behavior. 


5.3.2 Step 2: Determine starting amount 


147. As described in the Guidelines, the starting amount of the fine must then be determined. This starting amount forms the 
basis for further calculation in later steps, taking into account all relevant facts and circumstances. The Guidelines state that the 
starting amount is determined on the basis of three elements: i) the classification of the infringements according to Article 83 
paragraphs 4 to 6 GDPR; ii) the gravity of the infringement and iii) the turnover of the company. All three elements are 


discussed below. 


Re i) Classification of the infringements according to Article 83(4) to (6) of the GDPR 


148. As stated in the Guidelines, almost all obligations of the controller are categorized in the provisions of art. 83 (4) to (6) GDPR. 
The GDPR distinguishes between two types of infringements. On the one hand, the infringements that can be sanctioned under art. 
83 paragraph 4 GDPR, and for which a maximum fine of € 10 million (or in the case of a company, 2% of the annual turnover, 
whichever is higher), on the other hand, the infringements that are sanctionable under Art. 83 paragraphs 5 and 6 GDPR, 
and for which a maximum fine of € 20 million applies (or in the case of a company, 4% of the annual turnover, whichever is higher). 
With this distinction, the legislator has provided an initial indication of the seriousness of the infringement: the more serious the 


infringement, the higher the fine. 


149. For the current violation of art. 44 GDPR, an administrative fine of 
maximum € 20,000,000.00 (or in the case of a company, 4% of the worldwide annual turnover, whichever is higher). It follows from 


this categorization that the infringement of these provisions is seen (in abstract) as serious by the legislator. 


Ad ii) Gravity of the infringement 


150. When determining the severity of the infringement, account should be taken of the 1) nature, 2) severity and 3) duration of the 


infringement, as well as the intentional or negligent nature of the infringement and the categories of personal data involved. 


151. The nature of the infringement must take into account the interest that the violated provision is intended to protect. The AP notes 
that the intended importance of Article 44 GDPR, namely the continuity of the high level of protection of the GDPR when 
transferring personal data to third countries, has not been guaranteed by Uber. Due to the absence of an adequacy decision or 


appropriate safeguards in the period of the violation, Uber unlawfully transferred personal data to a third party 
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country, while that third country has an inadequate level of protection. Specifically, this concerns transfers to the United 
States, where intelligence services have access to personal data of EU citizens under local law. This infringement poses a 
direct threat to the right to private life and the right to the protection of personal data as laid down in Articles 7 and 8 of the 
Charter respectively. 


152. To assess the seriousness of the violation, the AP considers the following. With regard to the nature of the 
processing, it is first of all relevant to determine the relationship between the controller and the 
data subjects. The AP notes that in this case there is a hierarchical working relationship between Uber 
and the drivers.119 The AP notes, as described in section 4.3.2, that Uber's actual working method towards 
its drivers also assumes a great deal of dependence . Uber itself also confirms this in its written opinion 
by stating that the drivers 'depend on the income they obtain via the Uber Rides driver app for their daily 
livelinood'.120 Secondly, the nature of the processing carries higher risks, because Uber evaluates personal 
aspects of drivers and makes decisions about them. 


153. With regard to the scope of the processing, the AP notes that there is cross-border processing 
within the meaning of Article 4(23) GDPR. Uber processes personal data of drivers from 
various EU countries. This makes Uber's processing extensive. 


154. With regard to the purpose of the processing, the AP notes that the more central the place of the processing is 
within the core activities of the controller, the more serious irregularities in that processing will be. 121 In 
this assessment, processing in the context of generating journeys must be distinguished from handling access 
requests. As for the processing of personal data in the context of generating rides, the AP notes 
that this is an essential part of Uber's core activity, namely mediating as a platform between drivers who 
offer rides and customers who request rides. Without trip generation, it is not possible to suggest rides 
to drivers, and for them to accept and offer them to customers. With regard to the processing of personal 
data for the purpose of handling access requests, the AP notes that this is not part of Uber's core activity, 
because Uber is only trying to comply with a legal obligation arising from the GDPR. It does not independently 
contribute to Uber's revenue model as a commercial company. 


155. Regarding the number of affected people, the AP has found that from August 6, 2021 to mid-February 2023, 
there were an average of [confidential] drivers active for Uber in France and an average of [confidential] 
drivers throughout the EU. On February 17, 2023, there were [confidential] 
active drivers in the EU according to Uber. With regard to transfers in the context of access requests, 
Uber carried out [confidential] access requests between August 2021 and February 2023 with the 


119 See also French Court of Cassation, March 4, 2020 (Sentencia n°374): Rb. Amsterdam, September 13, 2021 (ECLI:NL:RBAMS:2021:5029), paragraphs 27 to 32. 
120 F ‘ 
‘View of Uber research report on intention and enforcement' to of June 9, 2023, p. 83. 


121 Guidelines 04/2022 for the calculation of administrative fines under the GDPR, marginal 54. 
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automatic download tool of drivers from EU. Uber has also carried out [confidential] removal requests for (former) drivers from the EU. 
Finally, Uber indicates that in addition to the download tool, Uber processed [confidential] requests from French (former) drivers for 
amore extensive access request between August 6, 2021 and February 1, 2023. In addition, Uber states in its written opinion that in 
the context of handling access requests by telephone and letter, fewer than ten requests are processed per year. Some requests are 
too complex and must be prepared manually by an Uber BV employee. In this context, this concerns approximately 100 requests in 
the first four months of 2023. 


156. The AP further noted in paragraph 2.5 that the infringement took place from August 6, 2021 to November 27, 2023. That is two years and 


more than three months. This concerns a considerable period. In the opinion of the AP, Uber committed the conduct culpably. 


The violation ceased to exist on November 27, 2023, because Uber certified under the EU-US DPF on that date. 


157. Finally, it must be determined whether Uber has processed personal data with special protection 


merit and therefore lead to a higher severity of the infringement. The amount of data collected on each data subject must 
also be taken into account. As the AP has established in section 2.3, Uber processes a large amount of data about Uber 
drivers. In addition to account data, location data, photos, proof of payment and reviews, Uber also 

processes other data (depending on the legal rules in a country), such as identity documents, criminal law and health data. 
Much of this data is sensitive by its nature. In addition, criminal law and health data are special personal data that enjoy 
additional protection under Article 9 and Article 10 GDPR. In particular, the AP charges Uber for the transfer of criminal data 
to the United States, where it was determined at the time that this country could not provide an adequate level of protection 
and where it was known that government authorities could gain access to personal data stored there. For the above 
reasons, the AP considers the influence of this aspect to increase the overall seriousness of the infringement. 


Ad iii) Turnover of the company 


158. The Guidelines prescribe that, from the point of view of fairness, the starting amount of the fine must be: 


are related to the size of the company. The size of the company is determined on the basis of turnover. For example, for 

a small company with a turnover of up to € 2 million, the starting amount is generally limited to 0.2 to 0.4% of the 

actual starting amount, and the starting amount increases as the company's turnover increases. If a company has a 

turnover of more than €500 million, the fine is determined as a percentage of the company's annual 

turnover.122 As a result, the size and turnover of the company has already been taken into account in the amount of the fine, 
so that it starting amount does not require adjustment on that basis. 


122 From an annual turnover of €500 million, 4% of the annual turnover is higher than €20 million, so that this percentage must be taken into 
account as a maximum fine (Article 83, fifth paragraph, opening words, of the GDPR). 
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159. As mentioned in Recital 150 of the GDPR, when imposing a fine on an undertaking, the “undertaking” should be regarded as an 


undertaking under Articles 101 and 102 of the Treaty on the Functioning of the European Union. It follows from established case 
law of the CJEU that an undertaking is any entity that carries out an economic activity, regardless of its legal form and the way in 
which it is financed. It is therefore about the economic unit of the company and not about the legal entities within it. Several 
companies or entities within the same economic unit can therefore jointly constitute an undertaking within the meaning of the 


aforementioned provisions. 


160. Uber BV is indirectly a fully owned subsidiary of Uber Technologies Inc. They must therefore go for the 


application of Article 83 of the GDPR are considered to be part of the same company. 


161. As stated in the Guidelines, turnover can be determined on the basis of the company's annual accounts for the previous financial 


year. Pursuant to Article 83(4) to (6) of the GDPR, the worldwide turnover in the previous financial year is taken into account. 


162.Uber Technologies Inc. has published the 2023 annual accounts on its website.123 A consolidated overview of the company is included on 


page 75. This shows that the company's global turnover for 2023 will be $37.281 billion. This corresponds to €34.235 billion.124 


Determine starting amount 


163. Pursuant to Article 83(5) of the GDPR, the maximum fine is 4% of the annual turnover. The annual turnover is €34.235 billion, so 


the maximum fine for the violation is €1.369 billion. 


164. The appreciation of the above circumstances and factors determines the overall seriousness of the infringement committed by Uber. This 


involves a thorough assessment of the concrete circumstances of the case in which all circumstances must be viewed together. 


165. In view of what has been considered under i) and ii), the AP takes the position that the level of severity 
of the infringement must be qualified as “high”. According to the Guidelines, for infringements with a high level of seriousness, the 
starting amount should be set at a point between 20% and 100% of the maximum fine of € 1.369 billion in this case. This 
corresponds to an amount between €273.881 million and €1.369 billion. The general rule is that the more serious the infringement 


within its own category, the higher the starting amount will be. 


123 Can be consulted_via https://investor uber com/financials/default aspx 


124The total turnover for 2023 was $ 37,281 ,000,000, which, with an exchange rate dated July 19, 2024 of 1 dollar to 0.9183 euros, converts to a turnover of € 34,235,142,300. 
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166. The AP is of the opinion that, given the circumstances described, the infringement is serious. However, the AP does not consider 
all circumstances to be so serious or negative that the starting amount should be set at the upper limit of the maximum 
fine. The AP has taken into account, among other things, the number of affected parties and the fact that the violation 
has ended. 


167. Based on the categorization of the infringement, the gravity of the infringement and the turnover of the company, the AP sets 
the starting amount for the violation of Article 44 GDPR in this case at € 290 million. 


5.3.3 Step 3: Assess other relevant circumstances 


168. As stated in the Guidelines, it must then be considered whether the circumstances of the case give reason to set the 
fine higher or lower than the starting amount determined above. The circumstances to be taken into account are 
stated in Article 83(2)(a) to (k) of the GDPR. The circumstances mentioned in that provision must each be considered only 
once. In the previous step, the nature, severity and duration of the infringement (part a), the intentional or negligent 
nature of the infringement (part b) and the categories of personal data (part g) have already been taken into account. 
This leaves parts c to f and h to k. 


169. The only applicable circumstance is the manner in which the AP became aware of the infringement, in particular whether, 
and if so to what extent, the controller notified the infringement (section h). In this case, Uber did not report the 
violations itself, but they came to the attention of the AP through complaints. However, according to the Guidelines, 
this is assessed as “neutral” and therefore has no consequences for the amount of the fine to be imposed. 


5.3.4 Step 4: Check whether the maximum amounts applicable for the infringements are exceeded 

170. As mentioned, - also taking into account Uber's turnover - a maximum fine of 4% of the company's worldwide 
annual turnover applies to the observed violation. The annual turnover is €34.235 billion, so the maximum fine for the 
violation is €1.369 billion. 

171. Based on the above considerations, the AP sets the fine amount for the established amount 
violation fixed at €290 million. This is below the legal maximum so that it will not be exceeded. 


5.3.5 Step 5: Assessment of effectiveness, proportionality and deterrence requirements 


172. Finally, it must be assessed whether the fine is effective, proportionate and dissuasive. In addition, given the circumstances of 
the case, the administrative fine may not lead to a disproportionate outcome. 


173. The Guidelines prescribe that the imposition of an administrative fine can be considered effective if it achieves the purpose 
for which it was imposed. The aim may be to punish unlawful conduct, as well as to promote compliance with 
applicable regulations. Considering the 
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above considerations regarding the nature, severity and duration of the infringement, as well as the 
aggravating and mitigating circumstances of Article 83, paragraph 2, GDPR, the AP is of the opinion that 
the present administrative fine achieves both objectives and is therefore effective and deterrent. 


174. The AP is furthermore of the opinion that the imposition of the fine and its amount is not disproportionate 
due to the seriousness of the violation and the size of the company. Uber has indicated in its opinion 
that imposing an administrative fine will have disproportionate consequences for Uber, because a possible 
notification of the fine to the New York Stock Exchange could have significant consequences for the price 
of Uber's share. However, the AP sees no reason to consider the fine disproportionate. Although it 
cannot be ruled out that the fine may have some influence on Uber's share price, it has not been made 
plausible that this has such an influence that the fine must be considered disproportionate. It is also 
important that the amount of the fine must be sufficiently deterrent and do justice to the nature and 
seriousness of the violation. In the opinion of the AP, no other special circumstances have arisen in this 
context that would cause the fine to be disproportionate. 


175. The AP notes the following for the sake of completeness with regard to the AP Fine Policy Rules 2019. If the 
AP would have had to impose a fine based on this policy, then the AP would have seen reason to 
apply Article 8.4 of the AP Fine Policy Rules 2019, given Uber's worldwide turnover and therefore its 
large scale as an offender. In that case, the determination of fine amounts within the fine bandwidth of 
the AP Fine Policy Rules 2019 would not lead to an appropriate punishment that would be effective, 
proportionate and dissuasive. The conclusion is that the AP would have imposed a fine of the same amount 
under the 2019 Fine Policy Rules. 
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6. Decision 


Fine 
The AP reports to Uber BV and Uber Technologies Inc. jointly, for violation of art. 44. AVG imposed an administrative 
fine in the amount of € 290,000,000 (in words: two hundred and ninety million euros). 125 


Yours faithfully, 
Dutch Data Protection Authority, 


W.g. 


Mr. A. Wolfsen 
Chair 


Remedies clause 


If you do not agree with this decision, you can submit an objection digitally or on paper to the Dutch Data 
Protection Authority within six weeks after the date of dispatch of the decision. Pursuant to Article 38 of the 
UAVG, submitting a notice of objection suspends the effect of the decision to impose the administrative fine. 
To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading 

Contact, item “Objection or complaint about the AP”.126 


The address for paper submission is: 


Dutch Data Protection Authority 
PO Box 93374 
2509 AJ The Hague. 


State 'Awb objection’ on the envelope and put ‘objection notice’ in the title of your letter. 


Write at least in your objection: 

- your name and address; 

- the date of your objection; 

- the reference mentioned in this letter (case number), or attach a copy of this decision; 
- the reason(s) why you do not agree with this decision; 

- your signature. 


125 The AP will hand over the claim to the Central Judicial Collection Agency (CJIB). The AP will only collect the fine after any legal (follow-up) procedures regarding this decision have been 
completed. 
“ The direct URL is <hitps: 
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